A new sophisticated version of the AZORult Spyware appeared in the wild

“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.

“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.

The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.

The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,

After the malware has successfully connected the C&C server, it will send back to it the following files:

Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of  the decoded version is shown in Figure 5. The stolen information is organized into sections:

• info: basic computer information such as Windows version and computer name
• pwds: this section contains stolen passwords (not confirmed)
• cooks: cookies or visited sites
• file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model,  CPU count,  RAM, video card information, process listing of the infected machine, and software installed on the infected machine.

Once completed this phase, AZORult may download the next-stage payload.

The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.

“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”

Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.

The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – AZORult,  hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]