AZORult is an information stealer and downloader designed to harvest various sensitive details from the systems it compromises. The malware was first identified in 2016 when it was distributed as a part of an infection with Chthonic banking Trojan. Soon after the release of its freshly updated version on underground forums which occurred on July 17, security researchers at Proofpoint detected a large spam email campaign that carries the new significantly improved version of AZORult spyware.
AZORult spyware is a threat that allows hackers to steal various kinds of sensitive data from any compromised PC. At its first release that happened in 2016, AZORult was a malware that needed another piece of malware to install and run it. Earlier this year security researchers spotted a shift in its distribution techniques. They identified that plenty of spam email campaigns with attached RTF documents were designed to exploit infamous vulnerabilities and deliver the notorious spyware. Since then AZORult has been detected as part of various malspam attacks.
Among the details that could be stolen in case of infection with AZORult spyware are saved passwords, cookies from browsers, cryptocurrency wallet.dat file, skype message history, files from chat history, files stored on the desktop, list of installed programs, list of running processes, system and hardware details.
AZORult Upgraded to Version 3.2
This month the threat was found to have a new version that features some notable upgrades. As found by the researchers at Proofpoint this new version of the spyware is advertised as Version 3.2 on an underground forum. There threat authors state that in its official release AZORult v3.2 features:
- Added stealing of history from browsers (except IE and Edge)
- Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
- Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
- Ad-supported search results.
- Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
- Reduced the load in the admin panel.
- Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
- Added to the admin panel guest statistics
- Added to the admin panel a geobase
AZORult in Action
One day after the updated AZORult debuted on the underground forums threat actors released it in a large email spam campaign. The emails part of this malicious campaign were detected to use subjects related to employment offers but the theme could be easily changed in time.
Where they hide the spyware is in password-protected documents attached to them. In order for the infection process to begin the recipient needs to enter the password that is provided in the email message and then enables macros. This, in turn, downloads AZORult spyware and enables it to establish a connection to its command and control (C&C) server where actually it sends all the harvested details.
To make matters worse the spyware is further set to download the Hermes 2.1 ransomware payload. The moment this happens the ransomware infection becomes able to corrupt all valuable files and extort ransom payment from victims.