New AZORult Trojan variant dubbed ‘AZORult++’ written in C++
- Due to the ability to establish an RDP connection to the desktop, AZORult++ is considered more dangerous than the previous versions.
- Researchers stated that this new variant primarily targets victims in Russia and India.
Researchers from Kaspersky observed several malicious files similar to AZORult. The researchers dubbed the new variant as ‘AZORult++’ as the files were written in C++ and not Delphi. Researchers noted that the attacker behind the malware has rewritten it in C++.
More details on the new variant
Researchers stated that this new variant primarily targets victims in Russia and India.
- AZORult++ initially checks the language ID through a call to the GetUserDefaultLangID() function.
- If the malware detects that it is running on a system where the language is Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, then it stops executing.
This version AZORult++ includes many signature features of the AZORult 3.3. However, AZORult++ does not include the loader functionality or the support for stealing browser saved passwords. This new variant uses an XOR operation with a 3-byte key to encrypt the stolen data sent to its C&C server.
What are its capabilities
Apart from stealing credentials, browser history, cookies, and sending it back to the C&C server operated by the attacker, this new variant is capable of launching an RDP connection by creating a new user account and adding it to the admin’s group.
- AZORult++ creates a user account using the NetUserAdd() function (username and password are specified in the AZORult++ code).
- The malware then adds this account to the Administrators group.
- It then hides the newly created account by setting the value of the Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\Userlist registry key to 0.
- The malware then calls to ShellExecuteW() to open a port to establish a remote connection to the desktop.
- After which, the infected computer is ready to accept the incoming RDP connection.
- This allows attackers to connect to the infected system and take over over the system.
The bottom line - Due to this ability to establish an RDP connection to the desktop, AZORult++ is considered more dangerous than the previous versions.
“During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” researchers said in a blog.