The SANS ISC shares awareness of the AZORult infostealer trojan horse, which is packaged in 3 layers of encryption to evade AV detections. This highly detailed analysis shares how malware authors go to great lengths to defeat technical defenses, and share why human security awareness is so important to avoid clickbait or other traps to implant malware.

I recently came across an interesting malicious document. Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look like anything special at first glance. At the time of analysis, the file was no longer available at that URL, however information points firmly to it being a version of AZORult infostealer. In any case, with the use of Word, Excel, PowerShell and three layers of home-grown encryption, this downloader really turned out to be much more interesting than a usual malspam attachment.

One interesting point related to the final payload of the downloader which should be mentioned is, that besides downloading the malicious executable, the code also tries to bypass the Microsoft Anti-Malware Scanning Interface (AMSI) using a well-known memory patching technique. And that, given similarities of the code, it would seem that authors of the downloader re-used a code sample available online for the bypass, instead of writing their own code.