Latest Azorult version sports new encryption method, cryptocurrency wallet stealer and more

• The data-stealing malware is being distributed via the Rig exploit kit and other sources.
• Experts suspect that Azorult 3.3 may have been released by the malware’s author to make it a more attractive product on underground markets.

Security experts have discovered a new version of the Azorult data-stealing malware in the wild. Azorult 3.3 was found advertised in a dark web forum on October 4. The data-stealing malware is being distributed via the Rig exploit kit and other sources.

A free version of Azorult, along with tools that can be used to create new customized versions, was recently made available on the underground malware builder called Gazorp. Experts suspect that Azorult 3.3 may have been released by the malware’s author to make it a more attractive product on underground markets.

“There are quite a few changes in this newly witnessed variant, the most prominent ones being a new encryption method of the embedded C&C domain string, a new connection method to the C&C and improvement of the Crypto currency wallets stealer and loader,” researchers at Checkpoint, who discovered Azorult’s latest version, said in a post.

Azorult upgraded

Azorult 3.3 comes packed with several new features. The upgrades include an enhanced cryptocurrency stealing abilities that allow it to pilfer BitcoinGold, electrumG, btcprivate, bitcore, and Exodus Eden. Improvements were also made to the malware’s loader feature and its antivirus detection evasion feature. Azorult’s previous versions contained a bug in the loader feature, which has been fixed in version 3.3.

“In version 3.2, the C&C domain name was xored with a hardcoded key and then encoded with base64. The current version 3.3 shows a new encryption method to obfuscate the domain name,” Checkpoint researchers wrote in a blog. “Every version of Azorult has a unique xor key for its connection method to the C&C. In version 3.3 the connection key is: [0x3, 0x55, 0xae].”

The malware now also comes with a new encryption method and a new technique to connect to its C2 server. The new features and upgrades were likely added to Azorult to give it an added edge in the competitive underworld of cybercrime. The multiple versions of Azorult released suggest that the malware’s author is highly active and is likely to continue to keep churning out fresh and more powerful versions of the data-stealer.