Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //


08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

AZORult Downloader Adds Cryptomining, Ransomware Capabilities

Proofpoint researchers said the latest version of the AZORult information stealer and downloader makes it a larger threat and noted that the group behind it is now advertising its cryptomining and ransomware capabilities.

A new version of the fast-evolving AZORult information stealer and downloader malware includes ransomware and cryptocurrency mining as possible additional payloads, and the new iteration already has been used in a new email campaign to distribute ransomware, according to researchers at Proofpoint.

The AZORult version 3.2 ramps up the threat to victims with its conditional payload feature, which searches for the presence of cookies and cryptocurrency wallets such as Exodus, Jaxx, Mist and Ethereum. In addition, the AZORult can now steal history from browsers -- though not Microsoft IE or Edge -- and can use system proxies to try to connect directly, according to the researchers.

Proofpoint researchers first detected AZORult in 2016, saying it was part of a secondary infection through the Chthonic banking Trojan.

The threat has evolved since then.

"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," Proofpoint analysts wrote in a post on the vendor's blog. "The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes."

The addition of new payloads is not surprising, according to Patrick Wheeler, director of threat intelligence at Proofpoint.

Malware that can mine cryptocurrencies such as Bitcoin, Monero and Ethereum have become particularly popular since the end of last year. The malware is used to steal CPU and GPU cycles from victims' systems in order to mine cryptocurrencies or to steal coins from a user's digital wallet. Cybersecurity vendors have seen a rapid rise in the incidence of cryptomining, which is rising in popularity as the use of ransomware has waned. (See McAfee: Cybercriminals Improving Techniques as Cryptomining Explodes .)

"AZORult added new conditional loading features and cryptocurrency wallet theft capabilities," Wheeler told Security Now in an email. "Coin miners and ransomware could be downloaded as additional payloads. That said, we are seeing a trend in commodity malware towards incorporation of additional modules, particularly for mining cryptocurrency."

He added that the "conditional loading feature is important as it makes the stealer smarter. If an application or data of interest resides on the infected machine, then AZORult can download relevant additional malware to exploit the interests of the PC owner."

Advertising for AZORult
Proofpoint researchers wrote that they discovered an advertisement for the latest AZORult version on an underground forum July 17.

A day later, they detected an email campaign that was delivering thousands of messages aimed at users in North America using the new version of the malware. The messages were job-related in nature, using subject lines like "About a role" and "Job Application," with the attached documents using file names with the format "firstname.surname_resume.doc."

The documents were password-protected, with the password included in the body of the original email, a move designed to evade antivirus solutions. The document itself isn't malicious until the password is entered, and even then, after the password is entered, the user still needs to enable macros for the document in order for AZORult to be downloaded.

It then downloads the Hermes 2.1 ransomware payload, the researchers wrote.

Researchers attributed the campaign to TA516, a threat actor Proofpoint analyzed last year, including the ways the attacker used documents that used similar resume lures to entice victims to download banking Trojans or a Monero miner.

"Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," they note.

Zero in on the most attractive 5G NR deployment strategies, and take a look ahead to later technology developments and service innovations. Join us for the Deployment Strategies for 5G NR breakfast workshop in LA at MWCA on September 12. Register now to learn from and network with industry experts – communications service providers get in free!

The impact of the enhanced AZORult malware could be substantial, the analyst wrote.

Thousands of messages can be sent in a campaign and, with the capabilities to steal credentials and cryptocurrency, victims can be hit with direct financial losses. In addition, businesses also are threatened: AZORult enables bad actors "to establish a beachhead in affected organizations" and the ability to download the Hermes 2.1 ransomware could lead to direct financial losses and disruptions in business, they wrote.

"As with most malware, an ounce of prevention is worth a pound of cure," Wheeler wrote. "Maintaining layered security with protection at the email gateway, network edge, and endpoint are all critical elements of protection against these threats."

Related posts:

— Jeffrey Burt is a long-time tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-08-04
Cross-site request forgery (CSRF) vulnerability in [Calendar01] free edition ver1.0.0 and [Calendar02] free edition ver1.0.0 allows remote attackers to hijack the authentication of administrators via unspecified vectors.
PUBLISHED: 2020-08-04
[Calendar01], [Calendar02], [PKOBO-News01], [PKOBO-vote01], [Telop01], [Gallery01], [CalendarForm01], and [Link01] [Calendar01] free edition ver1.0.0, [Calendar02] free edition ver1.0.0, [PKOBO-News01] free edition ver1.0.3 and earlier, [PKOBO-vote01] free edition ver1.0.1 and earlier, [Telop01] fre...
PUBLISHED: 2020-08-04
Privilege escalation vulnerability in SKYSEA Client View Ver.12.200.12n to 15.210.05f allows an attacker to obtain unauthorized privileges and modify/obtain sensitive information or perform unintended operations via unspecified vectors.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Obsidian 18.0.17 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.
PUBLISHED: 2020-08-03
A GET-based XSS reflected vulnerability in Plesk Onyx 17.8.11 allows remote unauthenticated users to inject arbitrary JavaScript, HTML, or CSS via a GET parameter.