August 18th, 2018 By Vishal Thakur
Towards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.
The initial infection vector is a phishing email that comes with a downloader malware attached. On execution, it downloads and executes the main malware.
This version of the malware comes with two payloads. These are embedded in the main binary and are simply dropped on to the disk and executed. The first payload to be executed is an information stealer that targets local accounts, browsers, saved credentials etc (this is the AZORult part). The second payload is the Aurora ransomware.
We also identified the MalActor “Oktropys” running the Aurora ransomware campaign in this case.
Powered by WPeMatico