AZORult Trojan Serving Aurora Ransomware

At the end of July 2018, team of malware researchers have discovered a new variant of AZORult malware that is being used in the malware campaigns to target Systems across the global world. As per the depth analysis by researchers, it has been suspected that AZORult Trojan is capable to infect PC with Aurora Ransomware. This post is all about AZORult, a malware, it’s payloads and the execution flow. So, keep reading this post completely.

AZORult : Worst Malware That Is Capable To Compromise PC With Aurora Ransomware

AZORult Trojan is another very dubious malware infection. After infiltrating inside the PC, it automatically downloads and executes several malicious malware inside the PC. The new version of AZORult malware comes with two payloads that are embedded in main binary and dropped it on to disk to execute.

First payload if AZORult is mainly executed as the information stealer that is capable to targets browsers, local accounts and other saved credentials. The second payload of AZORult is capable to infect PC with the Aurora Ransomware. In this case, MalActor Oktropys also executing Aurora Ransomware.

In-Depth Analyzing Details of AZORult Dropper

The binary of AZORult Trojan comes with embedded payloads that can be easily extracted by un-archieving . To unarchived binary, you can use 7-Zip program. As pointed out on the above paragraph is that AZORult drops two payloads. First payload is capable to drop an executable file named AU3_EXE_2018-07-18_23-01.exe. After executing this executable file, the next step for AZORult malware is to move to next payload.

Know About The First Payload of AZORult : AZORult Stealer

Before knowing about AZORult stealer, you must start by listing modules that are loaded by AZORult and then pick the one that is of interest to you. AZORult is capable to extract some crucial data about victim;s PC and later it sent them to command & control server. To connect the command and control server, this process will call on InternetConnectURL function. After that it call proxy functions before making connection call. InternetInitializeAutoProxyDll refreshes internal state of the proxy configuration detail from registry.

AZORult malware uses several Crypto functions but code seems to be incomplete as some major functions are not executed. The Crypto functions can still be executed as they have been implemented in code but cannot be re-used.

Detailed Information About Second Payload of AZORult : Aurora Ransomware

Aurora Ransomware is another payload of AZORult malware. Upon the successful execution, AZORult is capable to locks users stored data such as images, PDFs, presentations, spreadsheets, databases and many more. After locking files successfully, it asks victims to pay $150 using the bitcoin. This ransomware is Geo-targeted. To perform the geolocation, it attempts a procedure to connect to geo-location site and get location of victims PC.

It connects users to C7C server that uses a php script to generate the one-time public key to lock all files stored on disk. This key is mainly based on the System ID that is generated based on local detail extracted from PC. For performing the networking operations, it uses ws2_32.dll. After locking all stored files, it also displays a ransom note and asks victims to pay $150 which is being managed by the MalActor Oktropys.

Leave a Comment

Your email address will not be published. Required fields are marked *