Security News

Coronavirus, 8-Layer, COVID-19, Azorult.RK

By

Overview:

SonicWall Capture Labs Threat Research Team recently found a new sample and activity in March for the “Corona-virus” binary below. Malware authors have taken advantage of the public’s desire for information on the COVID-19 pandemic since it was first found in December of 2019. Most of the world is in self-isolation currently, so people are under emotional distress searching for news about this new pandemic. This includes installing new applications and/or clicking on hyper-links they may not normally click on during this frightening and hair-raising time.

Just like the Corona-virus, this piece of malware has many layers to it. People often forget how many layers security researchers have to grind through, so today the light shines in the darkness below:

Samples: 1st Layer, Static Information:

Looking at the first layer in CFF Explorer, checking for corruption. The first layer is a Native Win32 binary.

Command-line static information:

Main starting routine and flowchart:

Static Resources:

Static Strings:

Compiler Information: Embarcadero Delphi for Win32 compiler version 33.0 (26.0.32429.4364)

Samples: 1st layer, Dynamic Information:

Starting Second Stage, by CreateProcessW:

Samples: 2nd Layer, Static Information:

Looking at the second layer in CFF Explorer, checking for corruption. The second layer is a Native Win32 binary.

Second layer, Command-line static information:

Second layer, Main starting routine and flowchart:

Static Resources, Binary 1 Found:

Static Resources, Binary 2 Found:

Samples: 3rd Layer, Static Information:

Looking at the third layer in CFF Explorer, checking for corruption. The third layer is a Native Win32 binary.

Third layer, Command-line static information:

Third layer, Main starting routine and flowchart:

Third layer, Static Resources:

Samples: 4th Layer, Static Information:

Looking at the fourth layer in CFF Explorer, checking for corruption. The fourth layer is a Native Win32 binary.

Fourth layer, Command-line static information:

Fourth layer, Main starting routine and flowchart:

Fourth layer, Static Resources:

Samples: 5th Layer, Static Information:

Extracting the WinRAR SFX:

Batch File:

The -p parameter stands for password, -d parameter stands for directory.

Looking at the fifth layer in CFF Explorer, checking for corruption. The fifth layer is a Native Win32 binary.

Fifth layer, Command-line static information:

Extracting:

Using the password above, we now have a new layer, layer 6:

Samples: 6th Layer, Static Information:

Looking at the sixth layer in CFF Explorer, checking for corruption. The sixth layer is a Native Win32 binary.

Sixth layer, Command-line static information:

Sixth layer, Main starting routine and flowchart:

Sixth layer, Static Resources:

Samples: 7th Layer, Static Information:

Looking at the seventh layer in CFF Explorer, checking for corruption. The seventh layer is a Native Win32 binary.

Seventh layer, Command-line static information:

Seventh layer, Main starting routine:

Seventh layer, Static Resources:

Samples: 7th Layer, Dynamic Malware Analysis

We start to see the light emerge from darkness in the seventh layer, a request is being crafted:

Lets trap the request (POST REQUEST):

(POST RESPONSE):

We can see the same requests in Procmon:

What is sent is overall statistics and metrics designed around every piece of hardware your machine has physically installed along with usernames and hostnames among much much more. This is all done by the use of a cookie below that is encrypted and compressed:

Samples: 8th Layer, Static Information:

Looking at the eighth layer in CFF Explorer, checking for corruption. The eighth layer is a Native Win32 binary.

Eighth layer, Command-line static information:

Eighth layer, Main starting routine:

Eighth layer, Static Resources:

Samples: 8th Layer, Dynamic Information:

GUI of 8th Layer:

Network Connections:

Click the picture below, to see the Remote Addresses:

Supported Systems:

  • Windows 10
  • Windows 8.1
  • Windows 8.0
  • Windows 7
  • Windows Vista

Summary:

As you can see above, malware today use many layers. I could have added even more layers. Total there are close to 12 layers in this piece of malware. Unfortunately, for the standard user there is no way to tell how many layers are involved when you click install on your favorite application. You have to trust the designer of the installer. Well, malware authors abuse this trust as shown above.

SonicWall, (GAV) Gateway Anti-Virus, provides protection against this threat:

  • GAV: Azorult.RK

Appendix

Sample Hash: f850f746f1a5f52d3de1cbbc510b578899fc8f9db17df7b30e1f9967beb0cf71

Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
Recommended Cyber Security Stories
Cybersecurity News & Trends - 05-21-21
WordPress WP Statistics plugin SQL Injection
Top CVE's exploited in the wild
RTDMI DETECTS A MASSIVE PDF CAMPAIGN SPREADING IN RUSSIAN LANGUAGE
Delphi based bot with DDoS capabilities (March 15, 2013)
Microsoft Security Bulletin Coverage (Feb 14, 2012)
Genasom Ransomware operator requests remote access for fix
Badblock ransomware is on the block (May 25, 2016)