Deep analysis of AZORult – The information exfiltrator
Credit to Author: Preksha Saxena| Date: Tue, 16 Oct 2018 10:35:50 +0000
Estimated reading time: 5 minutesWhile the current focus in the cyberspace is on Ransomware and Cryptominers there are other prevalent threat actors silently making their way into victim’s machine in order to comprise it for malicious purpose. During the daily threat hunting task,Quick Heal Security labs came across a blocked URL by Quick Heal’s URL categorization cloud feature. Further analysis of the URL led us to a new variant of the “AZORult” infostealer malware. This malware harvests and exfiltrates data from the victim’s machine to the CnC server. In this post, we will dissect this malware and share interesting details about it. Below attack chain depicts the execution sequence observed for this malware. Fig 1. Attack Chain At the time of analysis, the initial attack vector was unknown but the attack chain was traced from malicious URL. Quick Heal Security labs suspected the initial attack vector to be Phishing email. URL: cw57146.tmweb.ru/upload/neut[.]exe During static analysis, sample seems to have a lot of the Flare in it. The ‘neut.exe’ file is PE32 executable for MS Windows and compiled as P-code file of Microsoft Visual Basic. It has various encrypted strings and contains large resource data of high entropy. Fig 2: Huge resource in CFF explorer Decompiled File has a function to disable DEP for the current process, it attempts to modify Explorer settings to prevent hidden files from being displayed and also loads huge resource in the memory. Fig 3: Decompiled File shows DEP policy and resource loading While traversing some more functions in the decompiled file. An obfuscated code was found which is passed to a function which de-obfuscates the data and forms a valid string. Fig. 4 Obfuscated Bytes After converting these hex values to ASCII, Code looks like it is base64 encoded. So after decoding it using base64 algorithm following strings are found. C:ProgramDataworm.exe Hxxp://cw57146.tmweb.ru/upload/neut[.]exe Next function traversed has XOR algorithm along with some more operation which is applied on whole resource data. Decryption routine is shown through below snippet. Fig 5. Xor algorithm used to decrypt resource code After implementing this logic on the resource code, one PE file is found. Decrypted PE file is Delphi windows file and we are going forward to analyze this file. Statically checking file various base64 encode strings are found which are shown in the below image. Fig 6. Base64 encoded strings Decoding above strings using base64 algorithm, below result is found. These strings are used to collect system info like “DisplayName” in ”Uninstall” registry key is used to identify all the installed software in the system. “CreateToolhelp32Snapshot” is used to list out all the running processes. SoftwareMicrosoftWindowsCurrentVersionUninstall DisplayName DisplayVersion HARDWAREDESCRIPTIONSystemCentralProcessor CreateToolhelp32Snapshot Some unencrypted strings are also there. Below snapshot has some of those strings: Fig 7. Strings found in Resource File Now further analysis will give understanding of where and how these strings are used. So after debugging the file in IDA. Malware collects machine information such as “MachineGuid”, “ProductName”, “UserName”, “ComputerName” and XOR it with DWORD then concat it and finally creates mutex of this name for the particular system. After that malware tries to send data to the C&C server using a POST request. This is how that request is constructed: Fig 8. Call to HttpSendRequestA The CnC server responded with the huge amount of data which seems to be encrypted. Fig 9. Response from CnC Server After more debugging the file, malware read data send by CnC server in memory by using “InternetReadFile” api & then decrypted it using XOR algorithm with a 3 byte key. Some data at the end of the response buffer has base64 encoded strings. Fig 10. Encrypted data received from CnC Server Base64 encoded string that depicts the information that the malware tries to steal from victim machine like (Username, password, installed software, browser information etc). Fig 11. Decrypted Response string After decrypting the other buffer which is encrypted with Xor operation, we came to know that it has lots of dlls (~48) that are dumped in the directory: %Temp%2fda” and it also contains some strings. Some dlls are related to browser plugin. Malware loads these dlls in memory and exact browser & other information. Malware is able to steal accounts information, browsing & cookies details and also retrieves the public ip address of the infected machine by calling to “hxxp://ip-api.com/json”. It is also able to list out all the installed software in the system, list all running processes by calling CreateToolhelp32Snapshot, Process32first, Process32next functions. It also collects information about the different…
http://blogs.quickheal.com/feed/