Azzy

Malware Profile Updated 3 months ago

Download STIX

Preview STIX

Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appeared in August, expanding upon the group's arsenal which already included backdoors and tools such as CORESHELL, SPLM, JHUHUGIT, and more. The Azzy implant, also known as ADVSTORESHELL, NETUI, EVILTOSS, spans across four to five generations, with the latest being the 4.3 generation. During a high-profile incident, our products successfully detected and blocked a standard Sofacy Azzy sample targeting defense contractors. The sample used in this attack (md5 A96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a typical Sofacy x64 Azzy implant, internally named “advshellstore.dll”. Despite the blockage, the Sofacy team persisted. They deployed a rare modification of the Azzy backdoor for initial reconnaissance, copying stolen data into a hidden directory from where it could be exfiltrated using one of the Azzy implants. In addition to the new Azzy backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. In line with their previous modifications, the developers altered earlier Azzy backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself. Furthermore, an unknown attack installed a separate malware "msdeltemp.dll" (md5: CE8B99DF8642C065B6AF43FDE1F786A3), a rare type of the Sofacy Azzy implant, compiled on July 28th, 2015. Remarkably, within an hour and a half, they had compiled and delivered another Azzy x64 backdoor (md5: 9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015).

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Carberp	1	Carberp is a notable malware that has been widely used and modified by various threat actors. Its source code, which was leaked in 2013, has become the basis for a multitude of other malicious software due to its sophisticated design and capabilities. The malware can infiltrate systems through dubio
ADVSTORESHELL	1	None

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Implant

Dropper

Malware

Reconnaissance

Associated Malware

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
CORESHELL	Unspecified	1	Coreshell is a variant of Sofacy malware used by threat actors to compromise systems and steal sensitive information. Malware, like Coreshell, can infect computer systems through suspicious downloads, emails, or websites. Once inside, it can disrupt operations, steal personal information, or hold da
Xagent	Unspecified	1	XAgent is a sophisticated malware developed by the Sofacy group, also known as APT28 or Fancy Bear. This malicious software was added to the group's arsenal in 2013, alongside other backdoors and tools such as CORESHELL, SPLM (also known as Xagent or CHOPSTICK), JHUHUGIT, AZZY, and others. XAgent is
Splm	Unspecified	1	SPLM, also known as XAgent or CHOPSTICK, is a sophisticated malware variant deployed by the Sofacy group. The group, notorious for its cyber espionage campaigns, expanded its arsenal in 2013, adding SPLM among other backdoors and tools such as CORESHELL, JHUHUGIT, AZZY, and more. These campaigns hav
JHUHUGIT	Unspecified	1	Jhuhugit is a type of malware that was used in Sofacy attacks as a first-stage implant. It became relatively popular and was also used with a Java zero-day in July 2015. The Sofacy group, which utilized jhuhugit, expanded their arsenal in 2013 by adding more backdoors and tools, including CORESHELL,

Associated Threat Actors

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
Sofacy	Unspecified	1	Sofacy is a threat actor group that has been observed using multiple languages to create variants of the Zebrocy Trojan and Cannon. In one campaign, they relied heavily on filenames to lure victims into launching weaponized documents. The group packed only Delphi variants in an attempt to increase e
APT28	Unspecified	1	APT28, also known as Fancy Bear, is a threat actor linked to Russia and has been involved in numerous cyber espionage campaigns. The group is notorious for its sophisticated tactics, techniques, and procedures (TTPs). Recently, NATO and the EU formally condemned APT28's activities, acknowledging the
Sofacy Group	Unspecified	1	The Sofacy Group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, BlueDelta, and STRONTIUM, is a significant threat actor in the global cybersecurity landscape. Active since at least 2007, this group has targeted governments, militaries, and security organizations worldwide. The group's activit

Associated Vulnerabilities

To see the evidence that has resulted in this association, create a free account

ID	Type	Votes	Profile Description
No associations to display

Source Document References

Information about the Azzy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source	CreatedAt	Title
MITRE	a year ago	Sofacy APT hits high profile targets with updated toolset