Gazorp is a malware builder that creates customized samples of the AZORult malware. The malware builder is available for free on the dark web. Using Gazorp, a threat actor could develop custom malware with user-provided command and control (C&C) address, download the malware builder, install the panel and release the newly created AZORult malware into the wild.
Security researchers from Check Point Research identified the Gazorp builder being sold on the dark web on September 17. Gazorp builds samples of AZORult version 3.0, which was released five months ago. However, there were two new versions of the malware - 3.1 and 3.2 respectively - making the Gazorp builder slightly outdated.
Checkpoint researchers warned that although Gazorp may be offering an outdated version of ZAORult, it has “multiple stealing capabilities which can be leveraged by any actor to gather victim information and misuse it.”
Release of Gazorp
Gazorp’s author released the malware builder tool after Azorult’s panel code for versions 3.1 and 3.2 was leaked online. This leak allowed anyone who wanted to host an Azorult C&C panel, to perform the action with limited efforts. This has allowed Gazorp’s authors to introduce it online, to the public.
Gazorp’s new capabilities
Since its discovery, Gazorp’s capabilities and features have been constantly enhanced by threat actors. Notable changes include multiple new additions to the panel features and code upgrades. Some of the feature additions include:-
- A global heat map that provides country-by-country statistics.
- The ability to create complex components, based on multiple factors.
- Upgrades for admin, users, system and guest authorities.
- A Telegram channel link that is used to communicate the ongoing work of Gazorp’s authors.
Gazorp’s creators also made it clear: “More donations, more updates.” According to Checkpoint researchers, the project will likely evolve as time progresses and “possibly produce new variants for AZORult.”
Building Azorult in 4 simple steps
Gazorp author's page in the dark web market specifies four simple steps that threat actors require to take in order to leverage AZORult.
The advertisement on the page read:-
“Totally free builder of one of the most popular stealers today, Azorult is right here. It’s as simple as 2×2:
1. Specify the domain to which the stealer will report.
2. Download the archive which will consist of the build, a manual and panel.
3. Install the panel, deploy the build.
4. Work $$$ ;-).”
Malware builders make life easy for hackers
This new service shows how easily a malware can be accessed from the web and put to use targeting victims. However, according to researchers, Gazorp develops the older version of the Azorult malware. Hence if necessary software patches are made in a timely manner both organizations and individuals can protect themselves against attackers using free-to-play malware in the wild.
Checkpoint researchers also said that the new Gazorp attacks may continue to improve at a higher scale, as more and more threat actors discover the free service.