分析者: Jacob Anthony Dyogi

Similar to EMOTET’s arrival, Trojan spyware Azurolt has been spotted coming in the form of a spoofed bank notification. The spam campaign is making the rounds in Germany and UK.

The email prompts the user to download a doc file using the malicious link different from what is displayed:

The URL downloads from a fake db.com site:

Then redirects to the real db.com:

Once the user enables the macro (detected as W2KM_POWLOAD.NSFGAIBA), it downloads the Godzilla loader (detected as TROJ_ZIGDOLL.A) from the fake db.com site via PowerShell. It then downloads the Azurolt malware (detected as TSPY_AZORULT.A), designed to steal information.

 垃圾邮件阻止日期/时间 : 2018年8月22日 22:00:00 GMT-8
 TMASE
  • TMASE引擎(全局:8.0
  • TMASE样式(全局):4048