{
	"id": "b7ed3049-1d9f-45d2-87f4-6798681dcc8e",
	"created_at": "2026-04-06T00:17:46.093494Z",
	"updated_at": "2026-04-10T03:20:45.944447Z",
	"deleted_at": null,
	"sha1_hash": "ba76e2a57cff1b757b807d2bcacde387e705bf2d",
	"title": "AZORult Campaign Adopts Novel Triple-Encryption Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70827,
	"plain_text": "AZORult Campaign Adopts Novel Triple-Encryption Technique\r\nBy Tom Spring\r\nPublished: 2020-02-03 · Archived: 2026-04-05 18:44:07 UTC\r\nPopular trojan is sneaking its way onto PCs via malspam campaign that uses three levels of encryption to sneak\r\npast cyber defenses.\r\nA recent wave of AZORult-laced spam caught the attention of researchers who warn that malicious attachments\r\nassociated with the campaign are using a novel obfuscation technique, in an attempt to slip past spam gateways\r\nand avoid client-side antivirus detection.\r\nWhat makes this campaign unique is the use by threat actors of a triple-encrypted AZORult downloader being\r\npushed by the otherwise non-descript malspam assault. AZORult is remote access trojan popular on Russian\r\nforums and most recently spotted last month in a spam campaign perpetrated by a hacker with an affinity toward\r\nsinger-songwriter Drake.\r\nThe malware-laced messages are “fairly uninteresting” and consist of a standard phishing hook, according to\r\nresearcher Jan Kopriva, contributing to the Internet Storm Center blog. However, he added, the attacker’s use of\r\nthree layers of encryption could present a challenge for signature and heuristics-based detection tools.\r\n“Distributed as an attachment of a run-of-the-mill malspam message, the file with a DOC extension didn’t look\r\nlike anything special at first glance. However, although it does use macros as one might expect, in the end, it\r\nturned out not to be the usual simple maldoc,” Kopriva wrote.\r\nThe infection chain starts with a typical phishing email asking for a “product list for January purchase,” for\r\nexample. Attached to the email is what appears to be a Microsoft Office Word document (DOC), however the file\r\ntype is actually a Rich Text File (RTF).\r\nIf someone is gullible enough to click on the file labeled “DOC” in the spam message, the RTF file opens.\r\nImmediately after opening, four identical Excel spreadsheets – embedded as OLE objects in the RTF body –\r\nspawn. As each Excel document launches, the end user is bombarded with requests to enable macros for each\r\nspecific Excel document.\r\n“The displaying of seemingly unending pop-ups would probably be one of the more effective ways to get users to\r\nallow macros to run, since they might feel that it would be the only way to stop additional prompts from\r\ndisplaying,” Kopriva wrote.\r\nhttps://threatpost.com/azorult-campaign-encryption-technique/152508/\r\nPage 1 of 2\n\nClick to Zoom\r\nIn this instance, attackers are spawning the Excel instances by abusing the “\\objupdate” mechanism inherent in\r\nRTF files that allow “objects” to update before displaying themselves.\r\nShould macros be enabled in any of the Excel documents, a payload is decrypted, decoded and executed using a\r\nVisual Basic for Applications “shell” command. “One small point of interest was that the payload, which it was\r\nsupposed to decrypt, was not contained in the macro itself but rather in one of the cells (136, 8) of the\r\nspreadsheet,” Kopriva said.\r\nThe next stage of the decryption happens as the first payload is executed and converts into a second decryption\r\nenvelope, this time a PowerShell. The researcher notes that the second level encryption, like the first, was not\r\ncomplex and mainly served as a an obfuscation mechanism rather than anything else.\r\nThe payload this time is considerably obfuscated C# code, designed, said the researcher, to “download a file from\r\na remote server [and] save it as c2ef3.exe in the AppData folder and execute it.”\r\nThe third level of encryption manifests itself in the link used by the dropper to download the final AZORult\r\ninfostealer malware. “The link to the remote file was protected with a third layer of encryption using the same\r\nalgorithm we have seen in the PowerShell envelope,” he wrote.\r\nKopriva also notes that the C# code tries to bypass the Microsoft Anti-Malware Scanning Interface using a\r\nmemory patching technique first identified by CyberArk researchers in 2018 and used frequently including last\r\nweek in a similar attack.\r\n“With the use of Word, Excel, PowerShell and three layers of home-grown encryption, this downloader really\r\nturned out to be much more interesting than a usual malspam attachment,” the researcher wrote.\r\nWhile this malspam campaign is unique, it is unclear how effective the payload has been when it comes to going\r\nundetected.\r\n“My guess is that triple encryption might be a little bit more effective than most of the usual obfuscation\r\ntechniques, since it is applied multiple times on multiple layers (i.e. the first instance of the decryption algorithm\r\nwas in a VBA macro and the second and third in PowerShell/C#). Any sandboxing would defeat it as easily as\r\nmost other obfuscation mechanisms, however it isn’t a bad way to defeat signature and heuristics-based detection\r\ntools,” Kopriva told Threatpost.\r\nSource: https://threatpost.com/azorult-campaign-encryption-technique/152508/\r\nhttps://threatpost.com/azorult-campaign-encryption-technique/152508/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/azorult-campaign-encryption-technique/152508/"
	],
	"report_names": [
		"152508"
	],
	"threat_actors": [],
	"ts_created_at": 1775434666,
	"ts_updated_at": 1775791245,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ba76e2a57cff1b757b807d2bcacde387e705bf2d.pdf",
		"text": "https://archive.orkl.eu/ba76e2a57cff1b757b807d2bcacde387e705bf2d.txt",
		"img": "https://archive.orkl.eu/ba76e2a57cff1b757b807d2bcacde387e705bf2d.jpg"
	}
}