Revised AZORult info stealer/downloader used to scatter ransomware quickly after emerging on the dark web

August 3, 2018


Wasting little time, cybercriminals started using a substantially updated type of the AZORult information moocher and downloader in an electronic mail phishing campaign only one day after the upgrade appeared on dark web covert forums on July 17.

Proofpoint scientists have seen the new model, type 3.2, trying to disperse Hermes ransomware type 2.1 in the wild while also exfiltrating victim data as well as identifications. Furthermore, the malware claims improved thieving and loading abilities, as well as help for different cryptocurrency wallets.

Such functionalities include the capability to ” thieve histories from non-Microsoft browsers; a conditional loader that tests specific parameters [including cookies and cryptocurrency wallets] prior to running the complete malware; help for Exodus, Ethereum, Mist, Jaxx, Electrum, Electrum-LTC cryptocurrency wallets; the capability to use system substitutes; and a few managerial tweaks, similar to location consciousness and the capability to more easily erase spy reports that do not have useful information,” Proofpoint informed in a blog post. The malware writers also updated AZORult’s command-and-control communications procedure.

The July 18 operation that leveraged the new-and-improved AZORult reportedly sent North American receivers thousands of electronic mails bearing subject lines related to an occupation like “About a role” and “Job Application.” An electronic mail sample that Proofpoint examined contained a message in the body that read, “My name is Napoleon and I am interested in a job. I’ve enclosed a copy of my resume. The password is 789”.

For the campaign to be successful, the possible sufferer should carry out two jobs: open the password-protected document using the provided identifications, and enable inserted macros, which copy AZORult 3.2.

Proofpoint has attributed the campaign to an actor it identified as TA516, which has earlier used similar tricks to spread banking trojans and Monero miners. “Better methods of thieving cryptocurrency wallets and identifications in the new variety of AZORult might also provide a link to TA516’s proven interests in cryptocurrencies,” declares Proofpoint, which notes that AZORult has existed since at least 2016.

“It is always exciting to see malware campaigns where both a moocher and ransomware are present, as this is less usual and particularly disturbing for receivers who initially might have identifications, cryptocurrency wallets, and more thieved prior to losing access to their files in the following ransomware attack,” the blog post expresses.