Azzy

Malware Profile Updated 24 days ago
Download STIX
Preview STIX
Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appeared in August, expanding upon the group's arsenal which already included backdoors and tools such as CORESHELL, SPLM, JHUHUGIT, and more. The Azzy implant, also known as ADVSTORESHELL, NETUI, EVILTOSS, spans across four to five generations, with the latest being the 4.3 generation. During a high-profile incident, our products successfully detected and blocked a standard Sofacy Azzy sample targeting defense contractors. The sample used in this attack (md5 A96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a typical Sofacy x64 Azzy implant, internally named “advshellstore.dll”. Despite the blockage, the Sofacy team persisted. They deployed a rare modification of the Azzy backdoor for initial reconnaissance, copying stolen data into a hidden directory from where it could be exfiltrated using one of the Azzy implants. In addition to the new Azzy backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. In line with their previous modifications, the developers altered earlier Azzy backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself. Furthermore, an unknown attack installed a separate malware "msdeltemp.dll" (md5: CE8B99DF8642C065B6AF43FDE1F786A3), a rare type of the Sofacy Azzy implant, compiled on July 28th, 2015. Remarkably, within an hour and a half, they had compiled and delivered another Azzy x64 backdoor (md5: 9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015).
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Azzy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Sofacy APT hits high profile targets with updated toolset