Azzy

Azzy is a malware implant developed by the Sofacy group, known for its malicious activities aimed at exploiting and damaging computer systems. Earlier this year, we identified a new release of the Azzy implant that was largely undetected by anti-malware products at the time. This version first appeared in August, expanding upon the group's arsenal which already included backdoors and tools such as CORESHELL, SPLM, JHUHUGIT, and more. The Azzy implant, also known as ADVSTORESHELL, NETUI, EVILTOSS, spans across four to five generations, with the latest being the 4.3 generation. During a high-profile incident, our products successfully detected and blocked a standard Sofacy Azzy sample targeting defense contractors. The sample used in this attack (md5 A96F4B8AC7AA9DBF4624424B7602D4F7, compiled July 29th, 2015) was a typical Sofacy x64 Azzy implant, internally named “advshellstore.dll”. Despite the blockage, the Sofacy team persisted. They deployed a rare modification of the Azzy backdoor for initial reconnaissance, copying stolen data into a hidden directory from where it could be exfiltrated using one of the Azzy implants. In addition to the new Azzy backdoors with side-DLL for C&C, we observed a new set of data-theft modules deployed against victims by the Sofacy group. In line with their previous modifications, the developers altered earlier Azzy backdoors to use a C&C server encoded in the registry, instead of storing it in the malware itself. Furthermore, an unknown attack installed a separate malware "msdeltemp.dll" (md5: CE8B99DF8642C065B6AF43FDE1F786A3), a rare type of the Sofacy Azzy implant, compiled on July 28th, 2015. Remarkably, within an hour and a half, they had compiled and delivered another Azzy x64 backdoor (md5: 9D2F9E19DB8C20DC0D20D50869C7A373, compiled August 4th, 2015).