Last week, researchers at Zscaler ThreatLabZ released a report on a massive campaign targeting the supply chain and government sectors in the Middle East. Cybercriminals sent phishing emails pretended to be from Abu Dhabi National Oil Company (ADNOC) employees that infected targets with the AZORult Trojan.
The adversaries saw an opportunity to use contracts terminated by ADNOC in April as a decoy, while negotiations are actively underway and new contracts are being concluded.
The campaign began in July, and multiple supply chain-related organizations in the oil and gas sector received phishing emails with legitimate-looked PDF files containing links to legitimate file-sharing services that hosted malicious ZIP archives. The archive contains a dropper that downloads and deploys AZORult Trojan on the targeted machine.
AZORult is a commercial malware that is known for more than 4 years, so it is hard to attribute this campaign to known threat actors. The Trojan has infostealer functionality and also has the ability to install additional tools and create a hidden administrator account allowing RDP connections to the infected system.
New community threat hunting Sigma rule released by Osman Demir enables security solutions to find traces of AZORult Trojan deployed during the targeted campaign: https://tdm.socprime.com/tdm/info/haGwuszBAOO8/szlv_XQBR-lx4sDx1j_Y/?p=1
The rule has translations for the following platforms:
SIEM: Azure Sentinel, ArcSight, QRadar, Splunk, Graylog, Sumo Logic, ELK Stack, RSA NetWitness, LogPoint, Humio
EDR: Carbon Black, Elastic Endpoint
Tactics: Defense Evasion, Persistence
Techniques: Indicator Removal on Host (T1070), Registry Run Keys / Startup Folder (T1060)
Find more detection content to uncover AZORult malware and related droppers at Threat Detection Marketplace.