This is a guest post from Vishal Thakur, a Security Incident Handler, APAC CSIRT for Salesforce. In this article Thakur takes a deep drive into the technical aspects of a new AZORult variant that Salesforce found globally targeting computers. Those infected would have the Aurora Ransomware installed as well as a information stealing Trojan.
For those who are interested in step-by-step look at the reverse engineering of a malware sample, you will find this post very interesting.
Towards the end of July 2018, we saw a new version of the AZORult trojan being used in malware campaigns targeting computers globally. In this article, we will dive into the malware and analyze its execution flow and payloads.
The initial infection vector is a phishing email that comes with a downloader malware attached. On execution, it downloads and executes the main malware.
This version of the malware comes with two payloads. These are embedded in the main binary and are simply dropped on to the disk and executed. The first payload to be executed is an information stealer that targets local accounts, browsers, saved credentials etc (this is the AZORult part). The second payload is the Aurora ransomware.
We also identified the MalActor “Oktropys” running the Aurora ransomware campaign in this case.
The main goal of this article is to analyze the malware from an incident response/threat neutralization point of view. We will try to understand the code structure and see if we are able to extract some useful IOCs from the binaries.
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
