Malware Analysis Spotlight: AZORult Delivered by GuLoader

Nov 18th 2020


Earlier this year, in one of our blog posts we covered GuLoader, a downloader outfitted with advanced anti-analysis techniques that has delivered FormBook, NanoCore, LokiBot, and Remcos among others. Recently, we’ve observed GuLoader delivering AZORult.

Active for many years, AZORult is an information stealer that has seen many iterations and is typically spread via spam emails or malicious software.

GuLoader’s evasive techniques coupled with AZORult’s information-stealing capabilities make this an interesting combination for an attacker to hit their target.

In this Malware Analysis Spotlight, we will analyze a delivery chain that uses malicious e-mail attachments and GuLoader to spread AZORult.


Analysis of the AZORult Delivery Chain

Our investigation started from a single sample that matched our AZORult v3 network communication YARA rule. We decided to get more background information and look for the delivery method. The delivery payload turned out to be an RTF document delivered as an email attachment (Figure 1) and exploiting a vulnerability in one of Microsoft’s Office products.

Starting from the email, the attack actually contained three steps and downloaded two payloads during its execution. At least one of the payloads was AZORult. We also investigated the other parts of the executions chain and it turned out that the infamous GuLoader was used as one of the links in the execution chain.


Figure 1: Spam email that delivers the malicious RTF document.


The document is abusing the equation editor (CVE-2017-11882) vulnerability to achieve execution on the victim’s machine. This leads to the download and execution of the next payload which is GuLoader (Figure 2).

In our investigation, we found multiple unique domains responsible for hosting the GuLoader payload (see list of IOCs) associated with similar spam emails leveraging this type of execution chain.


Figure 2: VMRay Analyzer – Download of the next GuLoader payload by exploiting a vulnerability in the equation editor.


As we have described in one of our previous Threat Bulletin, GuLoader is equipped with advanced anti-analysis, sandbox detection, and evasion techniques to increase its chances of delivering malware to its intended target.

In the VMRay Analyzer Report, we observed the typical behavior of GuLoader, using shellcode in two instances (processes). The shellcode uses its advanced techniques to thwart dynamic analysis followed by the final payload downloaded from a publicly available cloud provider.

Compared to the previously analyzed GuLoader samples, this one shows additional behavior in the enumeration of products currently advertised/installed (MsiEnumProductsA) and services (EnumServicesStatusA) (Figure 3). This might be an indicator of further detection or evasion techniques present in this GuLoader sample.


Figure 3: VMRay Analyzer’s function log – Comparison of GuLoader’s new behavior (left) with previously analyzed samples (right)


Last, it downloads the final AZORult stealer payload, maps it into its own process, and transfers control flow (Figure 4).



AZORult’s Behavior

From this point on, the behavior of AZORult is visible. AZORult is an information stealer that targets login credentials, cookies, cryptocurrency wallets, and more (Figure 5).


Figure 5: VMRay Analyzer – AZORult’s data collection


AZORult v3 always appends the XOR key used to encrypt the following message sent to its C&C at the beginning of the message. Thus, the initial communication always starts with three NUL bytes followed by an XOR encrypted ID hash (Figure 6). In our investigation, we found multiple servers used as its C&C (see IOCs) that all contain the same path.


Figure 6: VMRay Analyzer – AZORult’s initial message sent to its C&C server.



By using GuLoader in the delivery chain, the attackers can profit from the many features provided by GuLoader that are not offered by AZORult on its own. This obstructs dynamic analysis, complicates manual analysis and provides a flexible, easy distribution of tasks to the attacker without the requirement of advanced specialized knowledge. Despite all that, the VMRay Analyzer monitored the complete delivery chain from the initial RTF document to the final payload.

As mentioned before, these documents are sent via spam emails which are typical attack vectors that attackers use as an entry into the network. Including the VMRay Email Threat Defender (ETD) in the network helps to detect and prevent such attacks.



Documents 5ff8a87fd7626d4beab7a5be7f285f1d1d64478509f27aca6fd9deb3f69155e7
GuLoader using MsiEnumProducts e000b0cae7df0753ea12d97175e393bacf905613eef1a59d7e1784a913993f58
Domains hosting GuLoader kalpvedafoundation[.]com
AZORult C&Cs skilldrivinget[.]com/ojman/PL341//index[.]php
Calculate how much malware false positives are costing your organization:
Malware False Positive Cost Calculator