Azorult Stealer, AsyncRAT, and Trojan Malware

Trojan malware is a type of malware that uses deception and social engineering to trick victims into running purported benign programs that hide the attacker’s malicious intentions (2).Trojans can be packed in downloads for games, tools, applications, software updates, and document attachments. In this incident, the .zip and .lnk files were detected as trojan downloaders (3 & 4).

Downloader trojan malware is typically used to gain access to a victim’s system and then download and execute additional malware or tools on the system (2).

These types of malware variants are often attractive tools for threat actors because they can be packaged to look like many legitimate downloads and can use the latest trends, events, and the victim’s pure curiosity to lure victims into downloading the malware.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use Trojan malware over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, such as this August 2023 analysis of a downloader trojan identified as “Trojan.Fruity.1” (5) and this July 17, 2024 incident involving a Financials end partner (6).

The APG’s assessment is augmented by external reports from other research teams. For example:

• In April 2024, security researchers eSentire reported an incident that involved the deployment of a malware trojan, Koi Loader (7).
  • The victim reportedly received a phishing email with a .zip attachment related to potential banking activity. The .zip file included a .lnk file that downloaded the second-stage payload to the victim.
• In August 2024, security researchers with ReasonLabs reported a widespread extension trojan malware campaign that installed rogue Google Chrome and Microsoft Edge extensions via a trojan distributed via fake websites impersonating popular software (8).
  • The malicious installers registered a scheduled task that was configured to execute a PowerShell script responsible for downloading and executing the next-stage payload.

Blackpoint’s APG recommends the following remediations and mitigations of threat actor use of Trojan malware in your environment.

• Provide a dedicated software center to guarantee employees can easily access the applications and updates required for their jobs from a safe and monitored location, so they don’t “go rogue” and accidentally download malware from a malvertising or SEO poisoned instance.
  • Trojan malware variants are often delivered via social engineering attacks. While this is frequently through phishing emails, they have also been observed being deployed via malicious websites impersonating commonly used software and services. This mitigation can help ensure that employees are protected from downloading impersonated software and inadvertently downloading a trojan.
• Employ least-privilege access controls to ensure that users only have access to the data and resources required to complete their job functions, making it harder for threat actors to move laterally within the infected environment to more desirable targets.
  • In the event a threat actor successfully deployed a trojan, limiting a user account’s permissions can add an extra layer of protection as threat actors would be unable to create scheduled tasks, access sensitive environments, and run malicious scripts with a basic user account.
• Regularly audit both environment and endpoints for what “normal” user activity looks like, any old and unused credentials or authorizations, and possible “shadow IT” that was previously unaccounted for. Such audits should also ensure the application and enforcement of all technical and administrative controls throughout your organization.
  • In this incident, the first JavaScript file created scheduled tasks for persistence and to download and execute a second JavaScript file. Auditing the environment and endpoints can help identify scheduled tasks that are unexpected and prevent the scheduled tasks from offering persistence for threat actors and malware.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
  • This incident included the use of JavaScript and PowerShell to conduct malicious activities. Minimizing the use of scripting languages, limiting the users that have the ability to use scripting languages, and implementing strict controls on the use of these languages can help prevent multiple JavaScript files from being run and using PowerShell to download and execute payloads from remote URLs.

Azorult Stealer (AKA PuffStealer, Ruzalto) is an information stealer that has been active since at least 2016 and has been sold across Russian-language cybercriminal forums (9). The first observed variant of Azorult Stealer was written in the Delphi programming language and was reportedly ported to C++ in 2019 (10).

Threat actors likely find Azorult Stealer an attractive option due to the purported ease of use and the malware’s ability to steal cryptocurrency wallet information, system information, credentials, and more (10).

Purchasing malware that is created and maintained by a developer and sold on cybercriminal forums allows lower skill level threat actors to deploy malware and steal sensitive information. Azorult malware is likely used by multiple threat groups, which makes post-incident attribution more difficult.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will likely continue to use Azorult Stealer over the next 12 months.

This assessment is augmented by external reports from other research teams. For example:

• In January 2024, security researchers with Cyble reported an Azorult Stealer campaign that utilized a .zip file that contained a malicious shortcut file posing as a PDF document (11).
  • The shortcut file included an obfuscated PowerShell script and commands to drop and execute a batch file using the Task Scheduler.
  • The final step of the reported incident triggered another PowerShell script leading to the execution of the Azorult malware.
• In March 2024, security researchers with Netskope Threat Labs reported an Azorult Stealer campaign that leveraged fake Google Sites pages and HTML smuggling to distribute the malware (12).
  • When a victim was tricked into opening the rogue web page from a phishing email, the browser decoded the script and extracted the payload on the host device, allowing the threat actor to bypass typical security controls.

Blackpoint’s APG recommends the following remediations and mitigations for the threat actor use of Azorult Stealer in your environment.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
  • Azorult Stealer has been frequently delivered via malicious websites and phishing emails. Exposing employees to the frequently observed social engineering tactics can aid in providing employees with the awareness and knowledge to identify social engineering tactics and report incidents to an incident response authority.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Threat actors have been observed frequently making use of scheduled tasks for persistence; in this case, the scheduled task was set to run once every minute. This type of detection can help identify anomalous scheduled tasks and files stored in uncommon folders.
• Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
  • Azorult Stealer has the ability to target and exfiltrate credentials from infected hosts. Requiring the use of strong and unique passwords in combination with a secure password manager can aid in making it more difficult for threat actors to steal credentials to sensitive information and systems.
• Enforce multi-factor authentication (MFA) on all user accounts – especially those with privileged access! – to help decrease the chances of undetected credential compromise.
  • Requiring the use of MFA, in combination with strong and unique passwords, makes it more difficult for threat actors to access compromised accounts. If threat actors gain access to credentials, enabling MFA can help provide an additional layer of authentication to protect accounts.

AsyncRAT is an open-source remote access tool that was released via GitHub and has been adopted by several threat groups. The malware is capable of multiple actions (13), including:

• Capture keystrokes on a victim’s machine;
• Examine running processes to determine if a debugger is present on the targeted device;
• Create scheduled tasks that maintain persistence on affected devices; and
• Record screen content on the affected devices.

Due to the availability of AsyncRAT, it is very likely deployed by threat actors of all skill levels, including APT groups (14) and ransomware operations (15).

AsyncRAT is likely to remain an attractive tool for threat groups over the next 12 months, as using publicly available and proven successful malware allows threat groups to target organizations without requiring the personal skills or resources needed to develop and maintain custom malware variants.

Blackpoint’s Adversary Pursuit Group (APG) predicts that threat actors will very likely continue to use AsyncRAT over the next 12 months.

We base this assessment on internal Blackpoint observed attacks, such as this June 13, 2024 incident targeting an Industrials partner (16).

The APG’s assessment is further augmented by external reports from other research teams. For example:

• In August 2024, security researchers with Forcepoint reported an AsyncRAT incident that delivered the malicious payload via suspicious TryCloudflare quick tunnel and Python packages (18).
  • The researchers also identified an AsyncRAT operator using HTML email attachments for initial access, in which the “search-ms” Windows protocol and “search-ms” URI protocol handler were being used to deliver malicious LNK and then Python scripts.
• Security researchers with ReliaQuest have reported that AsyncRAT remains one of the top malware variants observed in incidents (17).
  • The continued use of AsyncRAT to collect information, gain persistence, and deploy second-stage malware highlights threat actors’ determination to continue using the tool.

Blackpoint’s APG recommends the following remediations of mitigations of threat actor use of AsyncRAT in your environment.

• Run employee security training as a strong “insurance policy” of sorts for your most exposed security liabilities: your end users. They must repeatedly be exposed to what basic phishing and malvertising lures look like, and be more cautious about opening email attachments or clicking on sponsored ads in search results.
  • AsyncRAT was likely delivered via a .wsf file and has been identified as being delivered via phishing emails with various malicious attachments. Exposing employees to the frequently observed social engineering tactics in the wild can help them identify suspicious emails with malicious links and attachments. This type of training should include how and when to report these social engineering attacks to an incident response authority.
• Minimize the use of – or implement strict controls on – the use of scripting languages, as threat actors rely on scripting languages to deploy malware and conduct malicious activities.
  • AsyncRAT operators were observed utilizing batch scripts, PowerShell scripts, and Visual Basic Scripts to deploy the malware, execute commands, and read the text contents of other files. Restricting the ability to conduct this type of activity can help limit the threat actor’s ability to successfully complete an attack.
• Deploy heuristics-based activity monitoring and remediation, which can help detect malicious behavior patterns lurking within allowlisted applications or protocols – and help ensure your environment remains secure even in the face of previously unknown exploitations or malicious scripts.
  • Anomalous scheduled tasks created, and files stored in anomalous folders, such as a music folder, can be detected with behavior-based detection methods. This type of detection can aid in identifying behaviors that indicate a potential compromise.
• Require the use of secure password managers, disabling plaintext password storage and local password caching to make accessing passwords by threat actors from compromised accounts more difficult.
  • AsyncRAT is capable of stealing credentials and logging keystrokes. Using a secure password manager can help prevent credentials from being stolen and accounts from being accessed by threat actors.

1. VirusTotal’s Repository: “74b85c502651bae1734849f3ac49d8152a6c0fbb9234083b1384d8cbe3640068” by VirusTotal on 2024-08-27
2. Malwarebytes’s Blog: “Trojan horse – Virus or malware?” by Malwarebytes on 2023-10-30
3. VirusTotal’s Repository: “abf8b3773306184cd4ad5b6d25ce127b50c9250b51cf2d2cc86ae72c08fc648b” by VirusTotal on 2024-08-27
4. VirusTotal’s Repository: “8ab2ac37791e59e9d971b216c889eaba50a1fc95ef5602efd4748499b0db7808” by VirusTotal on 2024-08-27
5. Blackpoint Cyber’s Blog: “Pebbles Aren’t Alone: The Fruity Find Making Waves in Cybersecurity” by Blackpoint Cyber on 2023-08-02
6. Blackpoint Cyber’s Blog: “SYS01 Stealer, Ratty RAT, and AsyncRAT” by Blackpoint Cyber on 2024-07-26
7. eSentire’s Blog: “Unraveling Not AZORult but Koi Loader: A Precursor to Koi Stealer” by eSentire on 2024-04-09
8. ReasonLabs’s Blog: “New Widespread Extension Trojan Malware Campaign” by ReasonLabs Research Team on 2024-08-06
9. MITRE’s Repository: “Azorult” by MITRE on 2022-10-13
10. BlackBerry’s Blog: “What Is AZORult Malware?” by BlackBerry on N/A
11. Cyble’s Blog: “Sneaky Azorult Back in Action and Goes Undetected” by Cyble on 2024-01-12
12. Netskope’s Blog: “From Delivery To Execution: An Evasive Azorult Campaign Smuggled Through Google Sites” by Jan Michael Alcantara on 2024-03-15
13. MITRE’s Repository: “AsyncRAT” by MITRE on 2023-10-10
14. Trend Micro’s Blog: “New APT Group Earth Berberoka Targets Gambling Websites With Old and New Malware” by Daniel Lunghi; Jaromir Horejsi on 2022-04-27
16. 
    Cyberint’s Blog: “Credentials And Control Go Bye, Bye, Bye with AsyncRAT: What You Need to Know” by Adi Bleih on 2024-05-05
17. 
    Blackpoint Cyber’s Blog: “AsyncRAT, NetSupport RAT, and VssAdmin Abuse for Shadow Copy Deletion” by Blackpoint Cyber on 2024-06-21
18. 
    ReliaQuest’s Blog: “5 Malware Variants You Should Know” by Hayden Evans on 2024-08-15
19. 
    Forcepoint’s Blog: “Tweaking AsyncRAT: Attackers Using Python and TryCloudflare to Deploy Malware” by Mayur Sewani on 2024-08-26