New AZORult variant being used by hacker Oktropys to spread Aurora ransomware

• A malware actor called Oktropys is distributing the Aurora ransomware and demanding $150 in ransom.
• In a new phishing campaign, AZORult malware was found distributed via a downloader.

A variant of the data-stealing malware AZORult has been spotted in a new phishing campaign, targeting computers across the globe. The malicious code is being used by malware actor Oktropys to spread the Aurora ransomware.

The phishing campaign makes use of a downloader to distribute the new AZORult variant.

According to Salesforce security researcher Vishal Thakur, who tracked the recent AZORult campaign, the new variant contains two payloads. While the first payload is a data stealer that targets saved credentials, local accounts and browsers, the second payload is the Aurora ransomware.

AZORult’s double payloads

In this campaign, AZORult steals system data, including browser login data, and sends it to the C2 server. Although the malware has a few crypto-related functions, its code appears to be incomplete since several major functions are not executed.

“No hash is generated/duplicated, the actual cryptEncrypt function is not called, key is not destroyed in the end and the context is not released,” Thakur wrote in a post on Bleeping Computer. “Crypto functions can still be executed the way they have been implemented in the code but cannot be re-used without problems. It’ll be interesting to see if the authors are trying to move towards full AES encryption for future releases as we saw in the case of Emotet.”

Meanwhile, the second AZORult payload - the Aurora ransomware - is dropped via a malware dropper. Once it encrypts the victim's files, the ransomware demands $150 in bitcoins as ransom.

Aurora is geo-targeted and attempts to connect to a geo-location site to obtain the location of a targeted system. The campaign is being operated by Oktropys who has conducted similar ransomware campaigns in the past.

AZORult repurposed

AZORult has been active for a while and has allowed cybercriminals to steal scores of victims’ personal information. The passwords stolen by AZORult have been widely used to gain unauthorized access to victims’ email and bank accounts.

The new AZORult variant being operated by Oktropys is an example of how cybercriminals often repurpose malware to add more functionalities and conduct larger and more sophisticated attacks.