AZORult: Now, as A Signed “Google Update”

guest · Jan 28, 2019

AZORult: Now, as A Signed “Google Update”
January 28, 2019
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update

AZORult attackers continue to adjust tactics to increase the chances that they’ll evade detection.

Most recently, we observed AZORult using additional tricks to extend its ability to survive in the wild Last month we protected one of our clients from an unusual AZORult attack that involved a signed malicious executable, which the adversary used to increase the chances of successfully bypassing security tools.

The certificate used to sign the malicious GoogleUpdate.exe file either stolen from its legitimate owner or obtained for malicious purposes.
A Sneaky Persistence Mechanism
One of the capabilities of this AZORult sample is that it not only uses the file name GoogleUpdate.exe, but also replaces the legitimate Google Updater in C:\Program Files\Google\Update\GoogleUpdate.exe. This helps the malicious program run with administrative privileges and allows it to establish a stealthy persistence mechanism.
Click to expand...

Rasheed187 · Feb 2, 2019

This is sneaky indeed. So it's best to only trust a handful of certificates, and I wonder how you can stop apps from replacing legitimate apps inside C:\Program Files. This is something that should not have been possible in Windows, you should not be able to modify folders that do not belong to you! But a good HIPS would alert that the GoogleUpdate.exe app had been changed, they monitor this via checksum.

Log in or Sign up

AZORult: Now, as A Signed “Google Update”

guest Guest

Rasheed187 Registered Member

Log in or Sign up

AZORult: Now, as A Signed “Google Update”

guest Guest

Rasheed187 Registered Member

Useful Searches