Hackers using the new AZORult malware variant to deliver the Hermes ransomware

• AZRrult was originally a secondary infection in Chthonic banking trojan campaigns.
• The new AZORult version comes with highly improved stealer and downloader functionalities.

A new and improved version of the AZORult malware has been recently discovered by security researchers. The malware is a stealer and downloader which first appeared in 2016 and was originally a secondary infection in Chthonic banking trojan campaigns.

The malware has since been distributed as both primary and secondary infections in various campaigns. In most cases, AZORult was dropped via exploit kits and delivered via phishing email campaigns.

New improved AZORult

The new variant of AZORult comes with highly advances stealer and downloader capabilities. For instance, the malware now has a conditional loader, which can allow the malware’s operators to go beyond regular data-stealing and pilfer from cryptocurrency wallets as well.

The malware is also capable of harvesting information such as machine ID, Windows version, computer name, location, screen resolution, time zone CPU model RAM and more.

According to security researchers at Proofpoint, who uncovered the new AZORult malware variant, just a day after the upgraded AZOrult malware variant appeared on dark web forums, a prolific threat group known as TA516 used the malware in a new campaign to distribute the Hermes ransomware.

TA516’s new AZORult and Hermes campaign

AZORult was advertised on an underground forum on July 17. It appears that the TA516 threat group was quick to snap up the malware and begin using it immediately.

“On July 18, 2018, one day after the AZORult update above was announced, we observed a campaign delivering thousands of messages targeting North America that used the new version of AZORult,” Proofpoint researchers wrote in a blog.

TA516’s phishing emails posed as job applications and came with password-protected malicious documents. The victims are provided with the password in the email. This is a detection evading technique, given that the document only becomes malicious after the password has been entered. The victims are also required to enable macros and download AZORult, which in turn drops the Hermes ransomware.

“We attribute this campaign to an actor we track as TA516. In 2017 we presented research on TA516 and ways in which this actor used documents with similar resume lures to download banking Trojans or a Monero miner,” Proofpoint researchers said. “Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516’s demonstrated interests in cryptocurrencies.”

Malware development

Just as developers regularly improve and update legitimate software, malware authors also regularly upgrade their malware, adding new features and tools. This indicates the ever evolving nature of cybercrime, highlighting the importance of threat intelligence gathering and communication, as well as security defense.

Proofpoint researchers believe that the potential impact of the this campaign can be far reaching.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” Proofpoint researchers noted. The researchers added that when taking the Hermes ransomware into account, such an attack could also cause “direct financial losses and business disruption”.