Azorult – what we see using our own tools

The Value of Being Able to Perform Threat Analysis outside the Boundaries of Your Enterprise…

Looking at Dmitry Bestuzhev’s piece about AZORult cryptominer spreading as a fake ProtonVPN installer[1],   I took a glance in Augury at what we have for the malware hashes he provided and many are still very low in terms of their detection rate: 6 to 21 out of 39 AV tools detected these hashes today depending on the exact variant. 


Augury has complete runtime and static analysis for eleven samples that involve this URL:  account.protonvpn[.]store and we did see traffic to the C2 (195.122.229[.]41:80) in our automated runtime analysis over several of the samples. 

At least four of the Kaspersky samples have a DNSRR for account.protonvpn[.]store as this same IP address 195.122.229[.]41:80 in addition to some UDP traffic to other IPs on ports 67, 123 and 5355. It’s in Nizhniy Novgorod, Russia, part of a small block 195.122.229.0 – 195.122.229.255 registered to “Mobile TeleSystems PJSC”:

% Information related to '195.122.229.0 - 195.122.229.255'
 
% Abuse contact for '195.122.229.0 - 195.122.229.255' is 'abuse@mtu.ru'
 
inetnum:        195.122.229.0 - 195.122.229.255
netname:        STATIC-NAT
descr:          Mobile TeleSystems PJSC
descr:          Nizhny Novgorod
country:        RU
admin-c:        SND-RIPE
tech-c:         SND-RIPE
tech-c:         SND-RIPE
status:         ASSIGNED PA
mnt-by:         AS8580-MNT
created:        2002-11-21T14:16:26Z
last-modified:  2020-02-04T05:46:55Z
source:         RIPE # Filtered
 
role:           SANDY ISP Network Operation Center
address:        Mobile TeleSystems OJSC Macro-region "Povolje"
address:        168a, Gagarina prospect
address:        Nizhny Novgorod, 603009, Russia
phone:          +7 831 2728930
fax-no:         +7 831 2728998
remarks:        trouble: -------------------------------------------------
remarks:        trouble: Please report SPAM and Network security issues to
remarks:        trouble: noc.nnov@mts.ru
remarks:        trouble: -------------------------------------------------
tech-c:         SYZ1-RIPE
nic-hdl:        SND-RIPE
mnt-by:         AS8580-MNT
created:        2002-03-12T13:25:47Z
last-modified:  2016-07-25T06:06:24Z
source:         RIPE # Filtered
abuse-mailbox:  noc.nnov@mts.ru
 
% Information related to '195.122.224.0/19AS8580'
 
route:          195.122.224.0/19
descr:          Closed Join Stock Company "KOMSTAR-Regiony"
descr:          Communication Service Centre of the Volga Region Branch in Nizhny Novgorod
descr:          46 Ulyanov St.
descr:          N.Novgorod 603600
descr:          Russia
origin:         AS8580
mnt-by:         AS8580-MNT
created:        1970-01-01T00:00:00Z
last-modified:  2019-07-08T14:20:40Z
source:         RIPE # Filtered

Some of this activity is in the last few days for the more recent samples, and shows the malware doing HTTP POSTs to http://account.protonvpn[.]store/index.php using a User Agent string of “Mozilla/4.0 (compatible; MSIE 6.0b; Windows NT 5.1)”.  This User Agent string appears to be a reliable indicator for identifying AZORult v3.x, and we show 26,280 records in our data that use this User Agent string.

Pivoting off this C2 in a second Augury query reveals the specific network traffic involving this IP from Russia for the last 30 days and we can say for certain that TCP port 445 was open on 20th and 21st of January this year: netbios-ssn, and indeed we also see multiple connections on tcp:445 with a host of wildly disparate IPs from various exotic locations.

At the start of February we observed some possible BitTorrent traffic with an IP in the Denver area that was also compromised, and then on Valentine’s Day we noted TCP port 554 was open on this Russian IP.

Overall, we see a great deal of network traffic involving this Russian IP for the last 30 days, and it would need a lot more analysis to determine if we can see a trace of the miscreant in here, but they are almost certainly in here somewhere:

Why do we care?

Well, first off I love Protonmail and this is a sensible demographic to target (high value data amongst the millions of happy encrypted Protonmail users); so that’s bad. 

But also, as attention focuses on the Russian IP (before they move), you can see how Augury gives you the context from the activity outside of your own network visibility. It’s unique and we look forward to bringing you more samples and more insight from IOCs that we run through Augury.

[1] https://securelist.com/azorult-spreads-as-a-fake-protonvpn-installer/96261/