Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Ransomware

8/1/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

AZORult Downloader Adds Cryptomining, Ransomware Capabilities

Proofpoint researchers said the latest version of the AZORult information stealer and downloader makes it a larger threat and noted that the group behind it is now advertising its cryptomining and ransomware capabilities.

A new version of the fast-evolving AZORult information stealer and downloader malware includes ransomware and cryptocurrency mining as possible additional payloads, and the new iteration already has been used in a new email campaign to distribute ransomware, according to researchers at Proofpoint.

The AZORult version 3.2 ramps up the threat to victims with its conditional payload feature, which searches for the presence of cookies and cryptocurrency wallets such as Exodus, Jaxx, Mist and Ethereum. In addition, the AZORult can now steal history from browsers -- though not Microsoft IE or Edge -- and can use system proxies to try to connect directly, according to the researchers.

Proofpoint researchers first detected AZORult in 2016, saying it was part of a secondary infection through the Chthonic banking Trojan.

The threat has evolved since then.

"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," Proofpoint analysts wrote in a post on the vendor's blog. "The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes."

The addition of new payloads is not surprising, according to Patrick Wheeler, director of threat intelligence at Proofpoint.

Malware that can mine cryptocurrencies such as Bitcoin, Monero and Ethereum have become particularly popular since the end of last year. The malware is used to steal CPU and GPU cycles from victims' systems in order to mine cryptocurrencies or to steal coins from a user's digital wallet. Cybersecurity vendors have seen a rapid rise in the incidence of cryptomining, which is rising in popularity as the use of ransomware has waned. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"AZORult added new conditional loading features and cryptocurrency wallet theft capabilities," Wheeler told Security Now in an email. "Coin miners and ransomware could be downloaded as additional payloads. That said, we are seeing a trend in commodity malware towards incorporation of additional modules, particularly for mining cryptocurrency."

He added that the "conditional loading feature is important as it makes the stealer smarter. If an application or data of interest resides on the infected machine, then AZORult can download relevant additional malware to exploit the interests of the PC owner."

Advertising for AZORult
Proofpoint researchers wrote that they discovered an advertisement for the latest AZORult version on an underground forum July 17.

A day later, they detected an email campaign that was delivering thousands of messages aimed at users in North America using the new version of the malware. The messages were job-related in nature, using subject lines like "About a role" and "Job Application," with the attached documents using file names with the format "firstname.surname_resume.doc."

The documents were password-protected, with the password included in the body of the original email, a move designed to evade antivirus solutions. The document itself isn't malicious until the password is entered, and even then, after the password is entered, the user still needs to enable macros for the document in order for AZORult to be downloaded.

It then downloads the Hermes 2.1 ransomware payload, the researchers wrote.

Researchers attributed the campaign to TA516, a threat actor Proofpoint analyzed last year, including the ways the attacker used documents that used similar resume lures to entice victims to download banking Trojans or a Monero miner.

"Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," they note.


Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

The impact of the enhanced AZORult malware could be substantial, the analyst wrote.

Thousands of messages can be sent in a campaign and, with the capabilities to steal credentials and cryptocurrency, victims can be hit with direct financial losses. In addition, businesses also are threatened: AZORult enables bad actors "to establish a beachhead in affected organizations" and the ability to download the Hermes 2.1 ransomware could lead to direct financial losses and disruptions in business, they wrote.

"As with most malware, an ounce of prevention is worth a pound of cure," Wheeler wrote. "Maintaining layered security with protection at the email gateway, network edge, and endpoint are all critical elements of protection against these threats."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-6017
PUBLISHED: 2020-12-03
Valve's Game Networking Sockets prior to version v1.2.0 improperly handles long unreliable segments in function SNP_ReceiveUnreliableSegment() when configured to support plain-text messages, leading to a Heap-Based Buffer Overflow and resulting in a memory corruption and possibly even a remote code ...
CVE-2020-6021
PUBLISHED: 2020-12-03
Check Point Endpoint Security Client for Windows before version E84.20 allows write access to the directory from which the installation repair takes place. Since the MS Installer allows regular users to run the repair, an attacker can initiate the installation repair and place a specially crafted DL...
CVE-2020-6111
PUBLISHED: 2020-12-03
An exploitable denial-of-service vulnerability exists in the IPv4 functionality of Allen-Bradley MicroLogix 1100 Programmable Logic Controller Systems Series B FRN 16.000, Series B FRN 15.002, Series B FRN 15.000, Series B FRN 14.000, Series B FRN 13.000, Series B FRN 12.000, Series B FRN 11.000 and...
CVE-2020-5680
PUBLISHED: 2020-12-03
Improper input validation vulnerability in EC-CUBE versions from 3.0.5 to 3.0.18 allows a remote attacker to cause a denial-of-service (DoS) condition via unspecified vector.
CVE-2020-5638
PUBLISHED: 2020-12-03
Cross-site scripting vulnerability in desknet's NEO (desknet's NEO Small License V5.5 R1.5 and earlier, and desknet's NEO Enterprise License V5.5 R1.5 and earlier) allows remote attackers to inject arbitrary script via unspecified vectors.