Researchers from Kaspersky observed several malicious files similar to AZORult. The researchers dubbed the new variant as ‘AZORult++’ as the files were written in C++ and not Delphi. Researchers noted that the attacker behind the malware has rewritten it in C++.
More details on the new variant
Researchers stated that this new variant primarily targets victims in Russia and India.
This version AZORult++ includes many signature features of the AZORult 3.3. However, AZORult++ does not include the loader functionality or the support for stealing browser saved passwords. This new variant uses an XOR operation with a 3-byte key to encrypt the stolen data sent to its C&C server.
What are its capabilities
Apart from stealing credentials, browser history, cookies, and sending it back to the C&C server operated by the attacker, this new variant is capable of launching an RDP connection by creating a new user account and adding it to the admin’s group.
The bottom line - Due to this ability to establish an RDP connection to the desktop, AZORult++ is considered more dangerous than the previous versions.
“During development, AZORult underwent several changes related to the expansion of its functionality. Moreover, despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” researchers said in a blog.