Earlier this year, in one of our blog posts we covered GuLoader, a downloader outfitted with advanced anti-analysis techniques that has delivered FormBook, NanoCore, LokiBot, and Remcos among others. Recently, we’ve observed GuLoader delivering AZORult.

Active for many years, AZORult is an information stealer that has seen many iterations and is typically spread via spam emails or malicious software.

GuLoader’s evasive techniques coupled with AZORult’s information-stealing capabilities make this an interesting combination for an attacker to hit their target.

In this Malware Analysis Spotlight, we will analyze a delivery chain that uses malicious e-mail attachments and GuLoader to spread AZORult.

Analysis of the AZORult Delivery Chain

Our investigation started from a single sample that matched our AZORult v3 network communication YARA rule. We decided to get more background information and look for the delivery method. The delivery payload turned out to be an RTF document delivered as an email attachment (Figure 1) and exploiting a vulnerability in one of Microsoft’s Office products.

Starting from the email, the attack actually contained three steps and downloaded two payloads during its execution. At least one of the payloads was AZORult. We also investigated the other parts of the executions chain and it turned out that the infamous GuLoader was used as one of the links in the execution chain.

The document is abusing the equation editor (CVE-2017-11882) vulnerability to achieve execution on the victim’s machine. This leads to the download and execution of the next payload which is GuLoader (Figure 2).

In our investigation, we found multiple unique domains responsible for hosting the GuLoader payload (see list of IOCs) associated with similar spam emails leveraging this type of execution chain.

As we have described in one of our previous Threat Bulletin, GuLoader is equipped with advanced anti-analysis, sandbox detection, and evasion techniques to increase its chances of delivering malware to its intended target.

In the VMRay Analyzer Report, we observed the typical behavior of GuLoader, using shellcode in two instances (processes). The shellcode uses its advanced techniques to thwart dynamic analysis followed by the final payload downloaded from a publicly available cloud provider.

Compared to the previously analyzed GuLoader samples, this one shows additional behavior in the enumeration of products currently advertised/installed (MsiEnumProductsA) and services (EnumServicesStatusA) (Figure 3). This might be an indicator of further detection or evasion techniques present in this GuLoader sample.

Last, it downloads the final AZORult stealer payload, maps it into its own process, and transfers control flow (Figure 4).

AZORult’s Behavior

From this point on, the behavior of AZORult is visible. AZORult is an information stealer that targets login credentials, cookies, cryptocurrency wallets, and more (Figure 5).

AZORult v3 always appends the XOR key used to encrypt the following message sent to its C&C at the beginning of the message. Thus, the initial communication always starts with three NUL bytes followed by an XOR encrypted ID hash (Figure 6). In our investigation, we found multiple servers used as its C&C (see IOCs) that all contain the same path.

Conclusion

By using GuLoader in the delivery chain, the attackers can profit from the many features provided by GuLoader that are not offered by AZORult on its own. This obstructsanalysis, complicates manual analysis and provides a flexible, easy distribution of tasks to the attacker without the requirement of advanced specialized knowledge. Despite all that, the VMRay Analyzer monitored the complete delivery chain from the initial RTF document to the final payload.

As mentioned before, these documents are sent via spam emails which are typical attack vectors that attackers use as an entry into the network. Including the VMRay Email Threat Defender (ETD) in the network helps to detect and prevent such attacks.

IOCs