Security experts have discovered a new spam campaign dubbed FindMyName that involves cybercriminals distributing a new variant of the Azorult malware via the Fallout exploit kit (EK). Azorult first appeared in 2016 and has since undergone tremendous evolution. It is also actively sold on dark web markets.
Since October, new variants of Azorult have been observed in the wild, sporting advanced anti-analysis techniques such as flooding and control flow flattening to evade detection. The new variant being distributed by the FindMyName campaign is capable of stealing data from more browsers, apps and cryptocurrency wallets than previous versions were capable of.
According to Palo Alto security researchers, who discovered the new spam campaign, FindMyName was distributing three new variants of Azorult, of which two had never before been seen in the wild. One of the new variants contained features such as using a hollowing technique to develop new malware images, stealing Skype, Telegram, and email credentials, taking screenshots, stealing system information, and more.
“In the span of 3 days, 5 Fallout Exploit Kit URL chains were observed, all landing on an exploit page hosted on domain findmyname[.]pw. There is a new variant of Azorult malware found to be used as a payload for Fallout Exploit Kit,” Palo Alto researchers said in a blog. “It has updated features compared to the previous versions and supports stealing from more software and cryptocurrency wallets than ever before.”
The new campaign indicates that Azorult’s authors have no intention of slowing down. Instead, the cybercriminals appear to be constantly developing the malware, adding new functions, aimed at aiding the attackers to escalate the scale and reach of their attacks.