the threat actors in charge of the AZORult malware released a refreshed variant
with upgrades on both the stealer and the downloader functionalities. This was
altogether done within a day after the new version had released a dark web user
AZORult in a large Email campaign to circulate the Hermes ransomware.
campaign with the updated adaptation of AZORult is in charge of conveying thousands
of messages focusing on North America with subjects, such as, “About a
role” or “Job Application” and even contains the weaponized
office document “firstname.surname_resume.doc”
attached to it.
includes substantial upgrades to malware that was already well-established in
both the email and web-based threat landscapes.”
have made use of the password-protected documents keeping in mind the end goal
to avoid the antivirus detections. Once the client enters the password for documents,
it requests to enable macros which thusly download the AZORult, and at that
point it connects with the C&C server from the already infected machine and
the C&C server responds with the XOR-encoded 3-byte key.
exfiltrating stolen credentials from the infected machine, it additionally
downloads the Hermes 2.1 ransomware.
analysts from Proofpoint even recognized the new version (3.2) of AZORult
malware publicized in the underground forum with full changelog.
(except IE and Edge)
Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
links. In the admin panel, you can specify the rules for how the loader works.
For example: if there are cookies or saved passwords from mysite.com, then
download and run the file link[.]Com/soft.exe. Also, there is a rule “If there
is data from cryptocurrency wallets” or “for all”
proxy is installed on the system, but there is no connection through it, the
stealer will try to connect directly (just in case)
removing “dummies”, i.e. reports without useful information
indicated by the scientists, the malware campaign contains both the password
stealer as well as the ransomware, which is astounding on the grounds that it
is not so common to see both. Therefore, before causing a ransomware attack, the
stealer would check for cryptocurrency wallets and steal the accreditations
before the files are encrypted.