AZORult Downloader Adds Cryptomining, Ransomware Capabilities

Proofpoint researchers said the latest version of the AZORult information stealer and downloader makes it a larger threat and noted that the group behind it is now advertising its cryptomining and ransomware capabilities.

Jeffrey Burt, Editor & Journalist

August 1, 2018

5 Min Read

A new version of the fast-evolving AZORult information stealer and downloader malware includes ransomware and cryptocurrency mining as possible additional payloads, and the new iteration already has been used in a new email campaign to distribute ransomware, according to researchers at Proofpoint.

The AZORult version 3.2 ramps up the threat to victims with its conditional payload feature, which searches for the presence of cookies and cryptocurrency wallets such as Exodus, Jaxx, Mist and Ethereum. In addition, the AZORult can now steal history from browsers -- though not Microsoft IE or Edge -- and can use system proxies to try to connect directly, according to the researchers.

Proofpoint researchers first detected AZORult in 2016, saying it was part of a secondary infection through the Chthonic banking Trojan.

The threat has evolved since then.

Screen shot showing email campaign advertising the AZORult update\r\n(Source: Proofpoint)\r\n

Screen shot showing email campaign advertising the AZORult update
\r\n(Source: Proofpoint)\r\n

"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," Proofpoint analysts wrote in a post on the vendor's blog. "The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes."

The addition of new payloads is not surprising, according to Patrick Wheeler, director of threat intelligence at Proofpoint.

Malware that can mine cryptocurrencies such as Bitcoin, Monero and Ethereum have become particularly popular since the end of last year. The malware is used to steal CPU and GPU cycles from victims' systems in order to mine cryptocurrencies or to steal coins from a user's digital wallet. Cybersecurity vendors have seen a rapid rise in the incidence of cryptomining, which is rising in popularity as the use of ransomware has waned. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"AZORult added new conditional loading features and cryptocurrency wallet theft capabilities," Wheeler told Security Now in an email. "Coin miners and ransomware could be downloaded as additional payloads. That said, we are seeing a trend in commodity malware towards incorporation of additional modules, particularly for mining cryptocurrency."

He added that the "conditional loading feature is important as it makes the stealer smarter. If an application or data of interest resides on the infected machine, then AZORult can download relevant additional malware to exploit the interests of the PC owner."

Advertising for AZORult
Proofpoint researchers wrote that they discovered an advertisement for the latest AZORult version on an underground forum July 17.

A day later, they detected an email campaign that was delivering thousands of messages aimed at users in North America using the new version of the malware. The messages were job-related in nature, using subject lines like "About a role" and "Job Application," with the attached documents using file names with the format "firstname.surname_resume.doc."

The documents were password-protected, with the password included in the body of the original email, a move designed to evade antivirus solutions. The document itself isn't malicious until the password is entered, and even then, after the password is entered, the user still needs to enable macros for the document in order for AZORult to be downloaded.

It then downloads the Hermes 2.1 ransomware payload, the researchers wrote.

Researchers attributed the campaign to TA516, a threat actor Proofpoint analyzed last year, including the ways the attacker used documents that used similar resume lures to entice victims to download banking Trojans or a Monero miner.

"Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," they note.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

The impact of the enhanced AZORult malware could be substantial, the analyst wrote.

Thousands of messages can be sent in a campaign and, with the capabilities to steal credentials and cryptocurrency, victims can be hit with direct financial losses. In addition, businesses also are threatened: AZORult enables bad actors "to establish a beachhead in affected organizations" and the ability to download the Hermes 2.1 ransomware could lead to direct financial losses and disruptions in business, they wrote.

"As with most malware, an ounce of prevention is worth a pound of cure," Wheeler wrote. "Maintaining layered security with protection at the email gateway, network edge, and endpoint are all critical elements of protection against these threats."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Read more about:

Security Now

About the Author(s)

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights