<b>❔ Deep analysis of AZORult – The information exfiltrator ❔</b>
<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer …
<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer …
<b>❔ Deep analysis of AZORult – The information exfiltrator ❔</b>
<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64…
<code>Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:\ProgramData\worm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “UninstallDisplayName” & ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. Software\Microsoft\Windows\CurrentVersion\UninstallDisplayName Software\Microsoft\Windows\CurrentVersion\Uninstall\DisplayVersion HARDWARE\DESCRIPTION\System\CentralProcessor\0 CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64…
⚠ Google using lock screen passwords to encrypt Android Cloud backups ⚠
📖 Read
via "Naked Security".
If, that is, your phone has updated to the Android 9 operating system, otherwise known as Pie. If so, say hi to the Titan chip!📖 Read
via "Naked Security".
Sophos News
Naked Security – Sophos News
🕴 6 Reasons Why Employees Violate Security Policies 🕴
📖 Read
via "Dark Reading: ".
Get into their heads to find out why they're flouting your corporate cybersecurity rules.📖 Read
via "Dark Reading: ".
Dark Reading
6 Reasons Why Employees Violate Security Policies
Get into their heads to find out why they're flouting your corporate cybersecurity rules.
⚠ How Chrome and Firefox could ruin your online business this month ⚠
📖 Read
via "Naked Security".
Last year, Symantec sold off its web certificate business. The new owners are reissuing certs for free - but there's a deadline looming!📖 Read
via "Naked Security".
Naked Security
How Chrome and Firefox could ruin your online business this month
Last year, Symantec sold off its web certificate business. The new owners are reissuing certs for free – but there’s a deadline looming!
⚠ US embassy accidentally emails invitation to ‘cat pyjama-jam’ meeting ⚠
📖 Read
via "Naked Security".
Canberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, featuring a cat in a Cookie Monster outfit.📖 Read
via "Naked Security".
Naked Security
US embassy accidentally emails invitation to ‘cat pyjama-jam’ meeting
Canberra’s US embassy accidentally exposed details of one of its more enticing get-togethers last week, featuring a cat in a Cookie Monster outfit.
🕴 6 Reasons Why Employees Violate Security Policies 🕴
📖 Read
via "Dark Reading: ".
Get into their heads to find out why they're flouting your corporate cybersecurity rules.📖 Read
via "Dark Reading: ".
Dark Reading
Dark Reading | Security | Protect The Business - Enable Access
Cyber security's comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for defending against them.
🔐 Forecasting credential stuffing threats 🔐
📖 Read
via "Security on TechRepublic".
From password vaults to two-factor authentication, Andy Ellis of Akamai explains defensive tactics against password stuffing.📖 Read
via "Security on TechRepublic".
TechRepublic
Forecasting credential stuffing threats
From password vaults to two-factor authentication, Andy Ellis of Akamai explains defensive tactics against password stuffing.
🕴 Spies Among Us: Tracking, IoT & the Truly Inside Threat 🕴
📖 Read
via "Dark Reading: ".
In today's ultra-connected world, it's important for users to understand how to safeguard security while browsing the web and using electronic devices.📖 Read
via "Dark Reading: ".
Dark Reading
IoT recent news | Dark Reading
Explore the latest news and expert commentary on IoT, brought to you by the editors of Dark Reading
❌ Privacy Regulation Could Be a Test for States’ Rights ❌
📖 Read
via "The first stop for security news | Threatpost ".
As more states take cybersecurity and privacy issues into their own hands, experts worry that big tech will push for preemption.📖 Read
via "The first stop for security news | Threatpost ".
Threat Post
Privacy Regulation Could Be a Test for States’ Rights
As more states take cybersecurity and privacy issues into their own hands, experts worry that big tech will push for preemption.
🕴 6 Reasons Why Employees Violate Security Policies 🕴
📖 Read
via "Dark Reading: ".
Get into their heads to find out why they're flouting your corporate cybersecurity rules.📖 Read
via "Dark Reading: ".
Dark Reading
6 Reasons Why Employees Violate Security Policies
Get into their heads to find out why they're flouting your corporate cybersecurity rules.
❌ Facebook Expands Efforts to Squash Voter Suppression ❌
📖 Read
via "The first stop for security news | Threatpost ".
The social network will crack down on those spreading disinformation in an effort to keep people away from the polls.📖 Read
via "The first stop for security news | Threatpost ".
Threat Post
Facebook Expands Efforts to Squash Voter Suppression
The social network will crack down on those spreading disinformation and looking to keep people away from the polls.
❌ ThreatList: Half of Execs Feel Unprepared to Respond to a Cyber-Incident ❌
📖 Read
via "The first stop for security news | Threatpost ".
Deloitte estimates cybercrime costs to reach $6 trillion annually -- but companies still lag in preparedness.📖 Read
via "The first stop for security news | Threatpost ".
Threat Post
ThreatList: Half of Execs Feel Unprepared to Respond to a Cyber-Incident
Cybercrime costs are estimated to reach $6 trillion annually — but companies still lag in preparedness.
🔐 How to train your employees to avoid online scams: 5 tips 🔐
📖 Read
via "Security on TechRepublic".
According to Microsoft, online scammers are still tricking people with tech support scams, but there are ways to stay safe.📖 Read
via "Security on TechRepublic".
🕴 Rapid7 Acquires tCell 🕴
📖 Read
via "Dark Reading: ".
The purchase brings together a cloud security platform with a web application firewall.📖 Read
via "Dark Reading: ".
Dark Reading
Rapid7 Acquires tCell
The purchase brings together a cloud security platform with a web application firewall.
❌ In County Crippled by Hurricane, Water Utility Targeted in Ransomware Attack ❌
📖 Read
via "The first stop for security news | Threatpost ".
The Emotet Trojan is behind a crippling ransomware attack that hit the Onslow Water and Sewer Authority.📖 Read
via "The first stop for security news | Threatpost ".
Threat Post
In County Crippled by Hurricane, Water Utility Targeted in Ransomware Attack
The Emotet Trojan is behind a crippling ransomware attack that hit the Onslow Water and Sewer Authority.
🔐 Why are passwords terrible? 🔐
📖 Read
via "Security on TechRepublic".
Microsoft's Diana Kelley explains all that's wrong with our passwords.📖 Read
via "Security on TechRepublic".
TechRepublic
Why are passwords terrible?
Microsoft's Diana Kelley explains all that's wrong with our passwords.
🕴 A Cybersecurity Weak Link: Linux and IoT 🕴
📖 Read
via "Dark Reading: ".
Linux powers many of the IoT devices on which we've come to rely -- something that enterprises must address.📖 Read
via "Dark Reading: ".
Darkreading
A Cybersecurity Weak Link: Linux and IoT
Linux powers many of the IoT devices on which we've come to rely -- something that enterprises must address.
❌ Anthem, Apple and the Pentagon: A Data-Breach Cornucopia ❌
📖 Read
via "The first stop for security news | Threatpost ".
A record fine and two new compromises kick off the autumn compromise season.📖 Read
via "The first stop for security news | Threatpost ".
Threat Post
Anthem, Apple and the Pentagon: A Data-Breach Cornucopia
A record fine and two new compromises kick off the autumn compromise season.
🔐 How consumers can defend against credential stuffing 🔐
📖 Read
via "Security on TechRepublic".
What should consumers be aware of, and what are some steps they could use to identify credential stuffing threats? Akamai's Andy Ellis offers tips to CNET's Dan Patterson.📖 Read
via "Security on TechRepublic".
TechRepublic
How consumers can defend against credential stuffing
What should consumers be aware of, and what are some steps they could use to identify credential stuffing threats? Akamai's Andy Ellis offers tips to CNET's Dan Patterson.