Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

AZORult Downloader Adds Cryptomining, Ransomware Capabilities

Proofpoint researchers said the latest version of the AZORult information stealer and downloader makes it a larger threat and noted that the group behind it is now advertising its cryptomining and ransomware capabilities.

A new version of the fast-evolving AZORult information stealer and downloader malware includes ransomware and cryptocurrency mining as possible additional payloads, and the new iteration already has been used in a new email campaign to distribute ransomware, according to researchers at Proofpoint.

The AZORult version 3.2 ramps up the threat to victims with its conditional payload feature, which searches for the presence of cookies and cryptocurrency wallets such as Exodus, Jaxx, Mist and Ethereum. In addition, the AZORult can now steal history from browsers -- though not Microsoft IE or Edge -- and can use system proxies to try to connect directly, according to the researchers.

Proofpoint researchers first detected AZORult in 2016, saying it was part of a secondary infection through the Chthonic banking Trojan.

The threat has evolved since then.

"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," Proofpoint analysts wrote in a post on the vendor's blog. "The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes."

The addition of new payloads is not surprising, according to Patrick Wheeler, director of threat intelligence at Proofpoint.

Malware that can mine cryptocurrencies such as Bitcoin, Monero and Ethereum have become particularly popular since the end of last year. The malware is used to steal CPU and GPU cycles from victims' systems in order to mine cryptocurrencies or to steal coins from a user's digital wallet. Cybersecurity vendors have seen a rapid rise in the incidence of cryptomining, which is rising in popularity as the use of ransomware has waned. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"AZORult added new conditional loading features and cryptocurrency wallet theft capabilities," Wheeler told Security Now in an email. "Coin miners and ransomware could be downloaded as additional payloads. That said, we are seeing a trend in commodity malware towards incorporation of additional modules, particularly for mining cryptocurrency."

He added that the "conditional loading feature is important as it makes the stealer smarter. If an application or data of interest resides on the infected machine, then AZORult can download relevant additional malware to exploit the interests of the PC owner."

Advertising for AZORult
Proofpoint researchers wrote that they discovered an advertisement for the latest AZORult version on an underground forum July 17.

A day later, they detected an email campaign that was delivering thousands of messages aimed at users in North America using the new version of the malware. The messages were job-related in nature, using subject lines like "About a role" and "Job Application," with the attached documents using file names with the format "firstname.surname_resume.doc."

The documents were password-protected, with the password included in the body of the original email, a move designed to evade antivirus solutions. The document itself isn't malicious until the password is entered, and even then, after the password is entered, the user still needs to enable macros for the document in order for AZORult to be downloaded.

It then downloads the Hermes 2.1 ransomware payload, the researchers wrote.

Researchers attributed the campaign to TA516, a threat actor Proofpoint analyzed last year, including the ways the attacker used documents that used similar resume lures to entice victims to download banking Trojans or a Monero miner.

"Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," they note.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

The impact of the enhanced AZORult malware could be substantial, the analyst wrote.

Thousands of messages can be sent in a campaign and, with the capabilities to steal credentials and cryptocurrency, victims can be hit with direct financial losses. In addition, businesses also are threatened: AZORult enables bad actors "to establish a beachhead in affected organizations" and the ability to download the Hermes 2.1 ransomware could lead to direct financial losses and disruptions in business, they wrote.

"As with most malware, an ounce of prevention is worth a pound of cure," Wheeler wrote. "Maintaining layered security with protection at the email gateway, network edge, and endpoint are all critical elements of protection against these threats."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-18
An issue was discovered on ASUS DSL-N14U-B1 devices. An attacker can upload arbitrary file content as a firmware update when the filename Settings_DSL-N14U-B1.trx is used. Once this file is loaded, shutdown measures on a wide range of services are triggered as if it were a real update, r...
PUBLISHED: 2021-01-18
Affected versions of Atlassian Fisheye & Crucible allow remote attackers to browse local files via an Insecure Direct Object References (IDOR) vulnerability in the WEB-INF directory. The affected versions are before version 4.8.5.
PUBLISHED: 2021-01-17
An issue was discovered in Quali CloudShell 9.3. An XSS vulnerability in the login page allows an attacker to craft a URL, with a constructor.constructor substring in the username field, that executes a payload when the user visits the /Account/Login page.
PUBLISHED: 2021-01-17
Netsia SEBA+ through 0.16.1 build 70-e669dcd7 allows remote attackers to discover session cookies via a direct /session/list/allActiveSession request. For example, the attacker can discover the admin's cookie if the admin account happens to be logged in when the allActiveSession request occurs, and ...
PUBLISHED: 2021-01-15
An issue was discovered in Malwarebytes before 4.0 on macOS. A malicious application was able to perform a privileged action within the Malwarebytes launch daemon. The privileged service improperly validated XPC connections by relying on the PID instead of the audit token. An attacker can construct ...