Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

8/1/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

AZORult Downloader Adds Cryptomining, Ransomware Capabilities

Proofpoint researchers said the latest version of the AZORult information stealer and downloader makes it a larger threat and noted that the group behind it is now advertising its cryptomining and ransomware capabilities.

A new version of the fast-evolving AZORult information stealer and downloader malware includes ransomware and cryptocurrency mining as possible additional payloads, and the new iteration already has been used in a new email campaign to distribute ransomware, according to researchers at Proofpoint.

The AZORult version 3.2 ramps up the threat to victims with its conditional payload feature, which searches for the presence of cookies and cryptocurrency wallets such as Exodus, Jaxx, Mist and Ethereum. In addition, the AZORult can now steal history from browsers -- though not Microsoft IE or Edge -- and can use system proxies to try to connect directly, according to the researchers.

Proofpoint researchers first detected AZORult in 2016, saying it was part of a secondary infection through the Chthonic banking Trojan.

The threat has evolved since then.

"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," Proofpoint analysts wrote in a post on the vendor's blog. "The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes."

The addition of new payloads is not surprising, according to Patrick Wheeler, director of threat intelligence at Proofpoint.

Malware that can mine cryptocurrencies such as Bitcoin, Monero and Ethereum have become particularly popular since the end of last year. The malware is used to steal CPU and GPU cycles from victims' systems in order to mine cryptocurrencies or to steal coins from a user's digital wallet. Cybersecurity vendors have seen a rapid rise in the incidence of cryptomining, which is rising in popularity as the use of ransomware has waned. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"AZORult added new conditional loading features and cryptocurrency wallet theft capabilities," Wheeler told Security Now in an email. "Coin miners and ransomware could be downloaded as additional payloads. That said, we are seeing a trend in commodity malware towards incorporation of additional modules, particularly for mining cryptocurrency."

He added that the "conditional loading feature is important as it makes the stealer smarter. If an application or data of interest resides on the infected machine, then AZORult can download relevant additional malware to exploit the interests of the PC owner."

Advertising for AZORult
Proofpoint researchers wrote that they discovered an advertisement for the latest AZORult version on an underground forum July 17.

A day later, they detected an email campaign that was delivering thousands of messages aimed at users in North America using the new version of the malware. The messages were job-related in nature, using subject lines like "About a role" and "Job Application," with the attached documents using file names with the format "firstname.surname_resume.doc."

The documents were password-protected, with the password included in the body of the original email, a move designed to evade antivirus solutions. The document itself isn't malicious until the password is entered, and even then, after the password is entered, the user still needs to enable macros for the document in order for AZORult to be downloaded.

It then downloads the Hermes 2.1 ransomware payload, the researchers wrote.

Researchers attributed the campaign to TA516, a threat actor Proofpoint analyzed last year, including the ways the attacker used documents that used similar resume lures to entice victims to download banking Trojans or a Monero miner.

"Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," they note.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

The impact of the enhanced AZORult malware could be substantial, the analyst wrote.

Thousands of messages can be sent in a campaign and, with the capabilities to steal credentials and cryptocurrency, victims can be hit with direct financial losses. In addition, businesses also are threatened: AZORult enables bad actors "to establish a beachhead in affected organizations" and the ability to download the Hermes 2.1 ransomware could lead to direct financial losses and disruptions in business, they wrote.

"As with most malware, an ounce of prevention is worth a pound of cure," Wheeler wrote. "Maintaining layered security with protection at the email gateway, network edge, and endpoint are all critical elements of protection against these threats."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/17/2020
Cybersecurity Bounces Back, but Talent Still Absent
Simone Petrella, Chief Executive Officer, CyberVista,  9/16/2020
Meet the Computer Scientist Who Helped Push for Paper Ballots
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8225
PUBLISHED: 2020-09-18
A cleartext storage of sensitive information in Nextcloud Desktop Client 2.6.4 gave away information about used proxies and their authentication credentials.
CVE-2020-8237
PUBLISHED: 2020-09-18
Prototype pollution in json-bigint npm package < 1.0.0 may lead to a denial-of-service (DoS) attack.
CVE-2020-8245
PUBLISHED: 2020-09-18
Improper Input Validation on Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11....
CVE-2020-8246
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...
CVE-2020-8247
PUBLISHED: 2020-09-18
Citrix ADC and Citrix Gateway 13.0 before 13.0-64.35, Citrix ADC and NetScaler Gateway 12.1 before 12.1-58.15, Citrix ADC 12.1-FIPS before 12.1-55.187, Citrix ADC and NetScaler Gateway 12.0, Citrix ADC and NetScaler Gateway 11.1 before 11.1-65.12, Citrix SD-WAN WANOP 11.2 before 11.2.1a, Citrix SD-W...