Recently
the threat actors in charge of the AZORult malware released a refreshed variant
with upgrades on both the stealer and the downloader functionalities. This was
altogether done within a day after the new version had released a dark web user
AZORult in a large Email campaign to circulate the Hermes ransomware.
The new
campaign with the updated adaptation of AZORult is in charge of conveying thousands
of messages focusing on North America with subjects, such as, "About a
role" or "Job Application" and even contains the weaponized
office document "firstname.surname_resume.doc”
attached to it.
Researchers said, “The recent update to AZORult
includes substantial upgrades to malware that was already well-established in
both the email and web-based threat landscapes.”
Attackers
have made use of the password-protected documents keeping in mind the end goal
to avoid the antivirus detections. Once the client enters the password for documents,
it requests to enable macros which thusly download the AZORult, and at that
point it connects with the C&C server from the already infected machine and
the C&C server responds with the XOR-encoded 3-byte key.
Finally after
exfiltrating stolen credentials from the infected machine, it additionally
downloads the Hermes 2.1 ransomware.
Security
analysts from Proofpoint even recognized the new version (3.2) of AZORult
malware publicized in the underground forum with full changelog.
UPD v3.2
[+] Added stealing of history from browsers
(except IE and Edge)
[+] Added support for cryptocurrency wallets:
Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited
links. In the admin panel, you can specify the rules for how the loader works.
For example: if there are cookies or saved passwords from mysite.com, then
download and run the file link[.]Com/soft.exe. Also, there is a rule “If there
is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a
proxy is installed on the system, but there is no connection through it, the
stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for
removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase
As
indicated by the scientists, the malware campaign contains both the password
stealer as well as the ransomware, which is astounding on the grounds that it
is not so common to see both. Therefore, before causing a ransomware attack, the
stealer would check for cryptocurrency wallets and steal the accreditations
before the files are encrypted.
