Security researchers at Proofpoint have discovered a new version AZORult spyware in a large email campaign targeting North America.
AZORult is an information stealer and downloader malware which was first identified by researchers in 2016 as part of a secondary infection via the Chthonic banking Trojan.
Researchers spotted the new version when it was advertised on an underground forum on July 17, and on the next day researchers observed a large email campaign targeting North America using the new version of AZORult spyware
“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.” said in the post published by Proofpoint.
The email used employment related subject line such as “About a role” and “Job Application” and contains a password protected attachment which uses file names in the format of “firstname.surname_resume.doc.
The password will be included in the body of the email. The attackers use this technique to bypass antivirus software because the document is not malicious until the password is entered.
Once the victim enters the password, it will ask victim’s to enable the macros for the document to download AZORult spyware which then downloads Hermes 2.1 ransomware payload.
Once the infected machine is connected with the command and control server, there will be an initial exchange between both. Then the infected machine sends four reports containing stolen information which are
- info: basic computer information such as Windows version and computer name
- pwds: this section contains stolen passwords (not confirmed)
- cooks: cookies or visited sites
- file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model, CPU count, RAM, video card information, process listing of the infected machine, and software installed on the infected machine.
Once this process is complete, the AZORult malware downloads the next payload which is Hermes 2.1 ransomware which then extracts victims data and credentials.
According to Proofpoint, the new version has the ability to steal history from browsers (except IE and Edge) and conditional loader which checks the presence of cookies, cryptocurrency wallets, and other parameters. Given below is the full change of log:
- UPD v3.2
- [+] Added stealing of history from browsers (except IE and Edge)
- [+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
- [+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
- [+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
- [+] Reduced the load in the admin panel.
- [+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
- [+] Added to the admin panel guest statistics
- [+] Added to the admin panel a geobase