T1105kaspersky.com

kaspersky.com  时间:2021-03-23  阅读:()
AZORultMalwareOVERALLCLASSIFICATIONISTLP:WHITETLP:WHITE04/16/2020Report#:202004161000AgendaIntroductionAttackvectorsFunctionalityoverviewMappingagainsttheMITREATT&CKFrameworkInfectionandCompromiseOriginationofAttacksFakeCoronavirusmapTripleEncryptionPersistenceIntrusionDetectionRules/SignaturesMitigationpracticesIndicatorsofCompromiseReferencesQuestions4/16/20202Non-Technical:managerial,strategicandhigh-level(generalaudience)Technical:Tactical/IOCs;requiringin-depthknowledge(sysadmins,IRT)SlidesKey:TLP:WHITEImagesource:NJCCICIntroductionAZORult–WhatisitMalware–InformationstealerandcryptocurrencytheftInitiallydetectedin2016whendroppedbytheChthonicbankingtrojanLatestversion:3.
2;UsedtotargetWindowsAKAPuffStealer,RuzaltoEasytooperate(userfriendly)Verycommon;SoldonRussianhackerforumsfor~$100Canbothbedroppedorserveasadropper(firstorsecondstage)Constantlychanging/evolvinginfectionvectorsandattackstagesandcapabilitiesEspeciallyrelevantduringtheCoronaviruspandemicUsedinCoronavirus-themedattacks3TLP:WHITEImagesource:BleepingComputer4/16/2020AZORult–AttackVectorsHowisAZORultdeliveredCommon:ExploitKits(especiallyFalloutExploitKit)OthermalwarethatactsasadropperRamnitEmotetPhishingMalspamInfectedwebsitesMalvertisementsFakeinstallersOnoccasion:.
isofileRemoteDesktopProtocol(RDP)exploitation4TLP:WHITEImagesource:AdAstraGames4/16/2020AZORult–FunctionalityoverviewAZORultpossessesthefollowingcapabilities:Steals:SystemlogincredentialsSystemreconnaissanceinfo(GUID,systemarchitectureandlanguage,usernameandcomputername,operatingsystemversion,systemIPaddressCryptocurrencywalletsMonero,uCoin,andbitcoincryptocurrenciesElectrum,Electrum-LTC,Ethereum,Exodus,JaxxandMistwalletsSteamandTelegramcredentials;SkypechathistoryandcredentialsPaymentcardnumbersCookiesandothersensitivebrowser-baseddata(especiallyautofill)DataExfiltration/CommunicationPushestoacommand-and-controlserver.
ScreenshotsExecutesfilesviaremotebackdoorcommands5TLP:WHITEImagesource:LinkedIn4/16/2020MappingAZORultagainsttheMITREATT&CKFrameworkMITREATT&CKTechniquesusedbyAZORult:6TLP:WHITEDomainIDNameUseEnterpriseT1134AccessTokenManipulationAZORultcancallWTSQueryUserTokenandCreateProcessAsUsertostartanewprocesswithlocalsystemprivileges.
EnterpriseT1503CredentialsfromWebBrowsersAZORultcanstealcredentialsfromthevictim'sbrowser.
EnterpriseT1081CredentialsinFilesAZORultcanstealcredentialsinfilesbelongingtocommonsoftwaresuchasSkype,Telegram,andSteam.
EnterpriseT1140Deobfuscate/DecodeFilesorInformationAZORultusesanXORkeytodecryptcontentandusesBase64todecodetheC2address.
EnterpriseT1083FileandDirectoryDiscoveryAZORultcanrecursivelysearchforfilesinfoldersandcollectsfilesfromthedesktopwithcertainextensions.
EnterpriseT1107FileDeletionAZORultcandeletefilesfromvictimmachines.
EnterpriseT1057ProcessDiscoveryAZORultcancollectalistofrunningprocessesbycallingCreateToolhelp32Snapshot.
EnterpriseT1093ProcessHollowingAZORultcandecryptthepayloadintomemory,createanewsuspendedprocessofitself,theninjectadecryptedpayloadtothenewprocessandresumenewprocessexecution.
EnterpriseT1012QueryRegistryAZORultcancheckforinstalledsoftwareonthesystemundertheRegistrykeySoftware\Microsoft\Windows\CurrentVersion\Uninstall.
EnterpriseT1105RemoteFileCopyAZORultcandownloadandexecuteadditionalfiles.
AzorulthasalsodownloadedaransomwarepayloadcalledHermes.
EnterpriseT1113ScreenCaptureAZORultcancapturescreenshotsofthevictim'smachines.
EnterpriseT1032StandardCryptographicProtocolAZORultcanencryptC2trafficusingXOR.
EnterpriseT1082SystemInformationDiscoveryAZORultcancollectthemachineinformation,systemarchitecture,theOSversion,computername,Windowsproductname,thenumberofCPUcores,videocardinformation,andthesystemlanguage.
EnterpriseT1016SystemNetworkConfigurationDiscoveryAZORultcancollecthostIPinformationfromthevictim'smachine.
EnterpriseT1033SystemOwner/UserDiscoveryAZORultcancollecttheusernamefromthevictim'smachine.
EnterpriseT1124SystemTimeDiscoveryAZORultcancollectthetimezoneinformationfromthesystem.
Source:https://attack.
mitre.
org/software/S0344/4/16/2020AZORult–InfectionandcompromiseExampleattack:InfectionvectorExecutionPersistenceReconnaissanceExfiltration7TLP:WHITEImagesource:TrendMicro4/16/2020AZORult–OriginationofattacksGeographicaldistributionofAZORultattacks:December2017throughDecember20188TLP:WHITEDataandimagesource:Kaspersky4/16/2020RecentAZORultusage–FakeCoronavirusmapFakeCoronavirustrackingmapdropsAZORultonvictimsystems:9TLP:WHITE4/16/2020LegitimateJohnsHopkinsCoronavirusMapLegitimatemap:10TLP:WHITE4/16/2020RecentAZORulttechnique–tripleencryptionObservedinaFebruary2020phishingcampaign:11TLP:WHITEDataandimagesource:ThreatPost4/16/2020AZORult-PersistenceAZORultcanestablishpersistence:InstallstandardbackdoorsCreateshiddenadminaccounttosetregistrykeytoestablishRemoteDesktopProtocol(RDP)connectionCamouflagesaslegitimateapplication(registryandscheduledtasks)SeeexampleoffakeGoogleupdatebinarybelowwhichcontainedAZORulttrojan:12TLP:WHITEImagesource:BleepingComputer4/16/2020AZORultIntrusionDetectionRules/SignaturesYaraRules:https://malpedia.
caad.
fkie.
fraunhofer.
de/yara/win.
azorulthttps://github.
com/Yara-Rules/rules/blob/master/malware/MALW_AZORULT.
yarhttps://malware.
lu/articles/2018/05/04/azorult-stealer.
htmlhttps://yoroi.
company/research/gootkit-unveiling-the-hidden-link-with-azorult/https://neonprimetime.
blogspot.
com/2019/02/malware-yara-rules.
htmlhttps://tccontre.
blogspot.
com/2019/01/interesting-azorult-mutex-name-that.
htmlSnortrules:https://www.
snort.
org/rule_docs/1-47339https://www.
snort.
org/rule_docs/1-49548https://snort.
org/rule_docs/1-4760213TLP:WHITE4/16/2020MitigationPractices:AZORultTheHHS405(d)ProgrampublishedtheHealthIndustryCybersecurityPractices(HICP),whichisafreeresourcethatidentifiesthetopfivecyberthreatsandthetenbestpracticestomitigatethem.
BelowarethepracticesfromHICPthatcanbeusedtomitigateAZORult.
14TLP:WHITEBackgroundinformationcanbefoundhere:https://www.
phe.
gov/Preparedness/planning/405d/Documents/HICP-Main-508.
pdfDEFENSE/MITIGATION/COUNTERMEASURE405(d)HICPREFERENCEProvidesocialengineeringandphishingtrainingtoemployees.
[10.
S.
A],[1.
M.
D]Developandmaintainpolicyonsuspiciouse-mailsforendusers;Ensuresuspiciouse-mailsarereported.
[10.
S.
A],[10.
M.
A]Ensureemailsoriginatingfromoutsidetheorganizationareautomaticallymarkedbeforereceived.
[1.
S.
A],[1.
M.
A]Applypatches/updatesimmediatelyafterrelease/testing;Develop/maintainpatchingprogramifnecessary.
[7.
S.
A],[7.
M.
D]ImplementIntrusionDetectionSystem(IDS);Keepsignaturesandrulesupdated.
[6.
S.
C],[6.
M.
C],[6.
L.
C]Implementspamfiltersattheemailgateways;Keepsignaturesandrulesupdated.
[1.
S.
A],[1.
M.
A]BlocksuspiciousIPaddressesatthefirewall;Keepfirewallrulesareupdated.
[6.
S.
A],[6.
M.
A],[6.
L.
E]Implementwhitelistingtechnologytoensurethatonlyauthorizedsoftwareisallowedtoexecute.
[2.
S.
A],[2.
M.
A],[2.
L.
E]Implementaccesscontrolbasedontheprincipalofleastprivilege.
[3.
S.
A],[3.
M.
A],[3.
L.
C]Implementandmaintainanti-malwaresolution.
[2.
S.
A],[2.
M.
A],[2.
L.
D]Conductsystemhardeningtoensureproperconfigurations.
[7.
S.
A],[7.
M.
D]DisabletheuseofSMBv1(andallothervulnerableservicesandprotocols)andrequireatleastSMBv2.
[7.
S.
A],[7.
M.
D]4/16/202015IndicatorsofCompromise:ThereareinstancesofobsoleteIOCsbeingreused,soanyorganizationattemptingtodefendthemselvesshouldconsiderallpossibilities.
NewIOCsareconstantlybeingreleased,especiallywithatoolasprominentandfrequentlyusedasAZORult.
Itisthereforeincumbentuponanyorganizationattemptingtodefendthemselvestoremainvigilant,maintainsituationalawarenessandbeeveronthelookoutfornewIOCstooperationalizeintheircyberdefenseinfrastructure.
AZORult:IndicatorsofCompromiseTLP:WHITEINDICATORTYPEDESCRIPTIONhttp://daticho.
ac[.
]ugDomainCommandandcontrolserverhttp://ravor.
ac[.
]ugDomainCommandandcontrolserverssl[.
admin[.
itybuy[.
itDomainCommandandcontrolserverhairpd[.
]com/stat/stella.
exeDomainMalwarestoragehairpd[.
]com/stat/sputik.
exeDomainMalwarestorageivanzakharov91[.
]example.
comDomainMalwarestorageDriverconnectsearch[.
]infoDomainMalwarestoragehost.
colocrossing[.
]comDomainMalwarestorageDriverconnectsearch[.
]infoDomainMalwarestorage185.
154.
21[.
]208IPaddressMalwarestorage192.
3.
179[.
]203IPaddressMalwarestorage08EB8F2E441C26443EB9ABE5A93CD942MD5Executable5B26880F80A00397BC379CAF5CADC564MD5ExecutableB0EC3E594D20B9D38CC8591BAFF0148BMD5ExecutableFE8938F0BAAF90516A90610F6E210484MD5Executable2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097aMD5Executable6f51bf05c9fa30f3c7b6b581d4bbf0194d1725120b242972ca95c6ecc7eb79bcMD5Executablea75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612MD5Executable12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185MD5Executable97c016bab36a85ca830376ec48c7e70ee25edbb55f626aee6219ade7468cee19MD5Executablef291c822ee0c5655b2900f1c8881e415MD5Executable4/16/2020ReferencesAnalyzinganAZORultAttack–EvasioninaCloakofMultipleLayershttps://blog.
minerva-labs.
com/analyzing-an-azorult-attack-evasion-in-a-cloak-of-multiple-layersSeamlessCampaignDeliversRamnitviaRIGEKat188.
225.
82.
158.
Follow-upMalwareisAZORultStealer.
https://malwarebreakdown.
com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/TheSeamlessCampaignDropsRamnit.
Follow-upMalware:AZORultStealer,SmokeLoader,etc.
https://malwarebreakdown.
com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/Let'sLearn:ReversingCredentialandPaymentCardInformationStealer'AZORultV2'https://www.
vkremez.
com/2017/07/lets-learn-reversing-credential-and.
htmlThreatActorsUsingLegitimatePayPalAccountsToDistributeChthonicBankingTrojanhttps://www.
proofpoint.
com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojanKasperskyThreats:TROJAN-PSW.
WIN32.
AZORULThttps://threats.
kaspersky.
com/en/threat/Trojan-PSW.
Win32.
Azorult/campaignAZORultTrojanUsesFakeProtonVPNInstallertoDisguiseAttackshttps://securityintelligence.
com/news/azorult-trojan-uses-fake-protonvpn-installer-to-disguise-attacks/AZORULTMalwareInformationhttps://success.
trendmicro.
com/solution/000146108-azorult-malware-information-kAJ4P000000kEK2WAMNewversionofAZORultstealerimprovesloadingfeatures,spreadsalongsideransomwareinnewcampaignhttps://www.
proofpoint.
com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongsideMalpedia:Azorulthttps://malpedia.
caad.
fkie.
fraunhofer.
de/details/win.
azorultcampaignTrendMicro:AZORULTMalwareInformationhttps://success.
trendmicro.
com/solution/000146108-azorult-malware-information-kAJ4P000000kEK2WAM16TLP:WHITE4/16/2020ReferencesMaliciouscoronavirusmaphidesAZORultinfo-stealingmalwarehttps://www.
scmagazine.
com/home/security-news/news-archive/coronavirus/malicious-coronavirus-map-hides-azorult-info-stealing-malware/Battlingonlinecoronavirusscamswithfactshttps://blog.
malwarebytes.
com/social-engineering/2020/02/battling-online-coronavirus-scams-with-facts/AZORultCampaignAdoptsNovelTriple-EncryptionTechniquehttps://threatpost.
com/azorult-campaign-encryption-technique/152508/AZORultTrojanUsesFakeProtonVPNInstallertoDisguiseAttackshttps://securityintelligence.
com/news/azorult-trojan-uses-fake-protonvpn-installer-to-disguise-attacks/AzorultTrojanStealsPasswordsWhileHidingasGoogleUpdatehttps://www.
bleepingcomputer.
com/news/security/azorult-trojan-steals-passwords-while-hiding-as-google-update/CBTAUThreatIntelligenceNotification:CommontoRussianUndergroundForums,AZORultAimstoConnecttoC&CServer,StealSensitiveDatahttps://www.
carbonblack.
com/2019/09/24/cb-tau-threat-intelligence-notification-common-to-russian-underground-forums-azorult-aims-to-connect-to-cc-server-steal-sensitive-data/AZORultMalwareAbusingRDPProtocolToStealtheDatabyEstablishaRemoteDesktopConnectionhttps://gbhackers.
com/azorult-malware-abusing-rdp-protocol/ReverseEngineering,MalwareDeepInsighthttps://vk-intel.
org/2017/07/Azorultloaderstageshttps://maxkersten.
nl/binary-analysis-course/malware-analysis/azorult-loader-stages/MITRE:AZORulthttps://attack.
mitre.
org/software/S0344/AZORULTVERSION2:ATROCIOUSSPYWAREINFECTIONUSING3IN1RTFDOCUMENThttps://cysinfo.
com/azorult-version-2-atrocious-spyware-infection-using-3-1-rtf-document/AZORult++:Rewritinghistoryhttps://securelist.
com/azorult-analysis-history/89922/TROJAN-PSW.
WIN32.
AZORULThttps://threats.
kaspersky.
com/en/threat/Trojan-PSW.
Win32.
Azorult/17TLP:WHITE4/16/2020QuestionsUpcomingBriefsCOVID-19CyberThreatsThreatModellingforMobileHealthSystemsProductEvaluationsRecipientsofthisandotherHealthcareSectorCybersecurityCoordinationCenter(HC3)ThreatIntelligenceproductsarehighlyencouragedtoprovidefeedbacktoHC3@HHS.
GOV.
RequestsforInformationNeedinformationonaspecificcybersecuritytopicSendyourrequestforinformation(RFI)toHC3@HHS.
GOVorcallusMonday-Friday,between9am-5pm(EST),at(202)691-2110.
18TLP:WHITE4/16/202019HealthSectorCybersecurityCoordinationCenter(HC3)BackgroundHC3workswithprivateandpublicsectorpartnerstoimprovecybersecuritythroughouttheHealthcareandPublicHealth(HPH)SectorSector&VictimNotificationsWhitePapersDirectedcommunicationstovictimsorpotentialvictimsofcompromises,vulnerableequipmentorPII/PHItheftandgeneralnotificationstotheHPHaboutcurrentlyimpactingthreatsviatheHHSOIGDocumentthatprovidesin-depthinformationonacybersecuritytopictoincreasecomprehensivesituationalawarenessandprovideriskrecommendationstoawideaudience.
ThreatBriefings&WebinarBriefingdocumentandpresentationthatprovidesactionableinformationonhealthsectorcybersecuritythreatsandmitigations.
Analystspresentcurrentcybersecuritytopics,engageindiscussionswithparticipantsoncurrentthreats,andhighlightbestpracticesandmitigationtactics.
NeedinformationonaspecificcybersecuritytopicorwanttojoinourlistservSendyourrequestforinformation(RFI)toHC3@HHS.
GOVorcallusMonday-Friday,between9am-5pm(EST),at(202)691-2110.
Products4/21/2020

HostKvm($4.25/月)俄罗斯/香港高防VPS

HostKvm又上新了,这次上架了2个线路产品:俄罗斯和香港高防VPS,其中俄罗斯经测试电信CN2线路,而香港高防VPS提供30Gbps攻击防御。HostKvm是一家成立于2013年的国外主机服务商,主要提供基于KVM架构的VPS主机,可选数据中心包括日本、新加坡、韩国、美国、中国香港等多个地区机房,均为国内直连或优化线路,延迟较低,适合建站或者远程办公等。俄罗斯VPSCPU:1core内存:2G...

ReliableSite怎么样,月付$95美国洛杉矶独立服务器

ReliableSite怎么样?ReliableSite好不好。ReliableSite是一家成立于2006年的老牌美国商家,主要经营美国独立服务器租赁,数据中心位于:洛杉矶、迈阿密、纽约,带宽1Gbps起步,花19美元/月即可升级到10Gbps带宽,月流量150T足够各种业务场景使用,且免费提供20Gbps DDoS防护。当前商家有几款大硬盘美国独服,地点位于美国洛杉矶或纽约机房,机器配置很具有...

半月湾hmbcloud升级500Mbps带宽,原生VPS,$4.99/月

关于半月湾HMBCloud商家之前也有几篇那文章介绍过这个商家的产品,对于他们家的其他产品我都没有多加留意,而是对他们家的DC5机房很多人还是比较喜欢的,这个比我们有些比较熟悉的某商家DC6 DC9机房限时,而且半月湾HMBCloud商家是相对便宜的。关于半月湾DC5机房的方案选择和介绍:1、半月湾三网洛杉矶DC5 CN2 GIA同款DC6 DC9 1G内存 1TB流量 月$4.992、亲测选择半...

kaspersky.com为你推荐
openeuleropen与close的区别及用法bbs.99nets.com做一款即时通讯软件难吗 像hi qq这类的lunwenjiancepaperfree论文检测安全吗同一ip网站同一个IP不同的30个网站,是不是在一个服务器上呢?百度关键词工具如何利用百度关键词推荐工具选取关键词长尾关键词挖掘工具大家是怎么挖掘长尾关键词的?www.baitu.com谁有免费的动漫网站?抓站工具仿站必备软件有哪些工具?最好好用的仿站工具是那个几个?www.hyyan.comdota屠夫怎么玩?从初期到后期的装备是什么?ww.66bobo.com谁知道11qqq com被换成哪个网站
代理主机 新加坡虚拟主机 中国十大域名注册商 网页空间租用 中文域名申请 日志分析软件 刀片服务器是什么 idc资讯 能外链的相册 服务器论坛 godaddyssl sonya nic suspended翻译 免费网络电视软件 百度空间登陆首页 宿迁服务器托管 dhcp服务器是什么 服务器操作系统下载 七夕促销海报 更多