During the terminal week, Check Point Research spotted a novel version of Azorult inwards the wild beingness delivered through the RIG exploit kit, also equally other sources. Azorult is a long known information stealer in addition to malware downloader, alongside this item version beingness advertised inwards an hole-and-corner forum since Oct 4. The version set out given to it past times its authors is 3.3.
There are quite a few changes inwards this newly witnessed variant, the most prominent ones beingness a novel encryption method of the embedded C&C domain string, a novel connectedness method to the C&C in addition to improvement of the Crypto currency wallets stealer in addition to loader.
The timing of this update to the malware is non surprising, mainly inwards lite of major leaks for previous versions 3.1 in addition to 3.2, inwards which panel origin code in addition to binary builders were released for the populace to utilization for free. Check Point shared those leaks to the query community for farther investigation terminal month. Moreover, nosotros bring witnessed in addition to written most to a greater extent than or less other projection related to Azorult, dubbed ‘Gazorp’ – a nighttime spider web binary builder that allows anyone to arts and crafts the malware’s binaries for free. Having this inwards minds, it is plausible that the Azorult’s writer would similar to innovate novel features to the malware in addition to teach inwards worthy equally a production inwards the hole-and-corner market.
The Forum Advertisement
On Oct 4, the next update to Azorult was advertised on the exploit.in hole-and-corner forum past times the user CrydBrox. The updated version set out 3.3 is shown below.
Figure 1: Advertisement of Azorult v3.3
The inwards a higher house states the next improvements in addition to features:
- [+] Added back upwards for stealing the next wallet credentials: BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, Exodus Eden
- [+] Cryptocurrency wallet’s stealer element has been improved.
- [+] The loader element was fixed in addition to improved, allowing bat files to last loaded in addition to executed alongside no errors
- [+] Lowered AV detection rate, increased successful installation rate
- [+] Slight improvement inwards admin panel’s performance
Comparison to previous versions
- In version 3.2, the C&C domain call was xored alongside a hardcoded commutation in addition to thence encoded alongside base64. The electrical current version 3.3 shows a novel encryption method to obfuscate the domain name. The script for decryption of the domain’s string tin last institute inwards the Appendix below.
- Every version of Azorult has a unique xor commutation for its connectedness method to the C&C. In version 3.3 the connectedness commutation is: [0x3, 0x55, 0xae]. Moreover, every version connectedness message contains a prefix (‘getcfg=’ inwards version 3.1 in addition to ‘G’ inwards version 3.2) prepended to the id hash earlier xoring alongside the connectedness key. The prefix inwards version 3.3 is the connectedness key, which makes the connectedness message sent to C&C starts alongside iii zippo bytes.
Figure 2: adding connectedness commutation equally prefix.
- Azorult’s C&C server answer is divided into iii parts separated past times tags:
<c></c> – the configuration part, encoded alongside base64
<n></n> – DLLs that Azorult copies to a novel directory it creates nether the %TEMP% folder. The call of the novel directory is unique for every version of Azorult (‘1M0’ inwards version 3.1 in addition to ‘2fda’ inwards version 3.2). In the novel version, the call of the directory is generated based on the id hash of the victim’s computer. Therefore, the call of the directory volition last dissimilar for every victim.
The algorithm for generating the directory call is equally follows:
Id_hash=hash_func(guid)-hash_func(product_name)-hash_func(user_name)- hash_func(computer_name)-hash_func(guid+product_name+user_name+computer_name)
Directory_name = hash_func(hash_func(Id_hash))
The item implementation of the hash_func method is outlined inwards a script, which appears inwards the Appendix below.
<d></d> – names of application paths that Azorult harvests information from. In version 3.3,
The next application names are added:
%appdata%ElectrumGwallets
ElectrumG
%appdata%Electrum-btcpwallets
Electrum-btcp
BitcoinGoldBitcoinGold-Qt
BitCoreBitCore-Qt
BitcoinABCBitcoinABC-Qt
%APPDATA%Exodus Eden
The authors of Azorult fixed a põrnikas inwards the loader functionality that didn’t allow the malware to charge bat files in addition to execute them successfully. The põrnikas was caused past times wrongfully comparing the extension of the loaded file, causing the launch of all files alongside CreateProcessW API equally executables instead of ShellExecuteExW. In the novel version, the authors fixed the comparing method to avoid this bug.
Figure 3: loader extension comparing inwards versions 3.2 in addition to 3.3. The one-time introduces a bug.
Appendix
- C&C domain call decryption Python code:
def decrypt_domain_method_v3_3(encrypted_domain):
decrypted_domain_array = []
key_buffer = [0x1e, 0x15, 0x34, 0x49, 0x5e, 0x37, 0x24, 0x2f, 0x58, 0x27, 0x6e, 0xd3, 0xd4, 0x71, 0xd6, 0x73, 0xd8]
index = 0
total = 0
piece index < len(encrypted_domain):
cur_byte = encrypted_domain[index]
if cur_byte == key_buffer[0]:
total += 0x64
elif cur_byte == key_buffer[1]:
total += 0x5a
elif cur_byte == key_buffer[2]:
total += 0x50
elif cur_byte == key_buffer[3]:
total += 0x46
elif cur_byte == key_buffer[4]:
total += 0x3c
elif cur_byte == key_buffer[5]:
total += 0x32
elif cur_byte == key_buffer[6]:
total += 0x28
elif cur_byte == key_buffe[7]:
total += 0x1e
elif cur_byte == key_buffer[8]:
total += 0x14
elif cur_byte == key_buffer[9]:
total += 0x0a
elif cur_byte == key_buffer[10]:
total += 0x8
elif cur_byte == key_buffer[11]:
total += 0x6
elif cur_byte == key_buffer[12]:
total += 0x5
elif cur_byte == key_buffer[13]:
total += 0x4
elif cur_byte == key_buffer[14]:
total += 0x2
elif cur_byte == key_buffer[15]:
total += 0x1
elif cur_byte == key_buffer[16]:
decrypted_domain_array.append(chr(sum))
total = 0
elif cur_byte == 0:
break
index += 1
decrypted_domain = ”.join(decrypted_domain_array)
supply decrypted_domain
- hash_func method for calculating the generated directory name.
def hash_func(value):
xor_key = 0x6521458a
hash_output = 0
for index inwards range(len(value)):
cur_byte = ord(value[index])
xor_value = cur_byte ^ xor_key
hash_output = (hash_output + xor_value) % (2**32)
right_value = (hash_output << 0xd) % (2**32)
left_value = (hash_output >> 0x13) % (2**32)
diff_value = right_value | left_value % (2**32)
hash_output = (hash_output – diff_value) % (2**32)
hash_string = hex(hash_output)[2:-1]
if len(hash_string) < 8:
diff = eight – len(hash_string)
output_string = (‘0’ * diff) + hash_string
else:
output_string = hash_string
output_string = output_string.upper()
supply output_string
IOCs
Md5:
- 11147fd9ac12eec66d35b4d483aae71f
- d893d8347ecad1a3d85064d2f5bded4f
- a8d3e403995132f9af33e4557be301a0
C&C:
TE signature: InfoStealer.Win.AZORult.C
Research by: State of Israel Gubi: Source link
