AZORult Trojan Used in Targeted Attacks

[post-views]
October 07, 2020 · 2 min read
AZORult Trojan Used in Targeted Attacks

Last week, researchers at Zscaler ThreatLabZ released a report on a massive campaign targeting the supply chain and government sectors in the Middle East. Cybercriminals sent phishing emails pretended to be from Abu Dhabi National Oil Company (ADNOC) employees that infected targets with the AZORult Trojan. 

Campaign Targeted at organizations in the Middle East

The adversaries saw an opportunity to use contracts terminated by ADNOC in April as a decoy, while negotiations are actively underway and new contracts are being concluded. 

The campaign began in July, and multiple supply chain-related organizations in the oil and gas sector received phishing emails with legitimate-looked PDF files containing links to legitimate file-sharing services that hosted malicious ZIP archives. The archive contains a dropper that downloads and deploys AZORult Trojan on the targeted machine.

AZORult is a commercial malware that is known for more than 4 years, so it is hard to attribute this campaign to known threat actors. The Trojan has infostealer functionality and also has the ability to install additional tools and create a hidden administrator account allowing RDP connections to the infected system. 

AZORult Trojan Detection

New community threat hunting Sigma rule released by Osman Demir enables security solutions to find traces of AZORult Trojan deployed during the targeted campaign: https://tdm.socprime.com/tdm/info/haGwuszBAOO8/szlv_XQBR-lx4sDx1j_Y/?p=1

The rule has translations for the following platforms:

SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio

EDR: Carbon Black, Elastic Endpoint

MITRE ATT&CK: 

Tactics: Defense Evasion, Persistence

Techniques: Indicator Removal on Host (T1070), Registry Run Keys / Startup Folder (T1060)

Find more detection content to uncover AZORult malware and related droppers at Threat Detection Marketplace.

Ready to try out SOC Prime TDM? Sign up for free. Or join Threat Bounty Program to craft your own content and share it with the TDM community.

Table of Contents

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts