Azorult Keylogger

 Tactical Cyber Intelligence Report

Actor Type: III
Serial: TR-18-055-001
Report Date: 20180209

Azorult Keylogger

On 08 February 2018, Wapack Labs discovered a user affected by the Azorult malware who may have compromised a major US city’s procurement portal.   Analysts identified this infected user through our keylogger collection project.  The affected user had their username and password stolen when signing onto the city’s procurement website portal.  This city’s portal permits contractors to enter bids for the government’s request for quotes (RFQ).

The Azorult keylogger is an information stealer that targets various programs to harvest sensitive credentials.  Wapack Labs observed numerous usernames and passwords stolen from this individual including email, financial, social media, and other accounts.

Conclusion

Wapack Labs was unable to fully identify the keylogged individual or discover a positive occupation.  Yet, Wapack Labs did observe log-in credentials stolen from the coastal area major US city’s website, which potentially pose a cyber threat to that government’s network.  If the compromised user successfully bids on a city contract, the Azorult keylogger may compromise this government’s network and gain valuable data.  Any log-in credentials or work-related activities conducted on an infected Azorult machine, is at risk of compromise.  This is an example of bad actor’s continued attacks on government systems to gain financial, proprietary and pii data. 

Previous Reporting:

2018 Winter Olympics Volunteers Hit with Azorult. 4 February 2018, TR-18-033-003

Figure 1. Identified stolen information from the user (Allen) logging into stpete.org portal.

Figure 2: Website where users can place bids on projects in St. Petersburg Florida. Wapack Labs identified this site in the keylogger collection, associated with stolen credentials.

For questions or comments regarding this report, please contact the lab directly by at 603-606-1246, or feedback@wapacklabs.com

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!