The tale of the infamous AZORult banking trojan and its evolving capabilities

• AZORult, the information-stealing malware has been operating since 2016.
• It spreads primarily via phishing emails and targets users payment information.

There has been a surge in AZORult attack campaigns in the past years. The banking trojan which was primarily designed to steal users’ financial information has evolved over the years and is currently used by attackers to perform other nefarious activities.

First appearance and primary targets

AZORult, the information-stealing malware has been operating since 2016. It spreads primarily via phishing emails and targets users payment information including cryptocurrency wallets and other financial credentials.

Modus Operandi

AZORult primarily spreads via phishing emails, typically disguised as malicious document attachments. Once the user clicks on the attachment, it runs malicious macros in the background. The macros download the AZORult to the victim’s system.

Once installed, the trojan connects to the C2 server of hackers and transfers sensitive information from the user’s system. This includes saved passwords such as those from browsers, email and FTP servers, cookies from browsers and forms, Skype message history, desktop files, files from chat history, list of installed programs, list of running programs, username, computer name and operating system type.

Variants

AZORult version 2 was found spreading via spam email campaigns. These spam emails contained malicious RTF documents, which when opened resulted in the download of the malware. The version was used to target the Middle East Government firms.

Towards the end of July 2018, the trojan’s authors released an updated version named AZORult v3.2. The malware was improved on its stealer and downloader capabilities and was used against firms in North America. Apart from the existing functionalities, the new version was found stealing cryptocurrency wallets.

The emergence of AZORult v3.3 was observed in October 2018. The malware was delivered through the RIG exploit kit. There were quite a few changes in the newly witnessed variant. This included a new encryption method of the embedded C&C domain string, a new connection method to the C&C and improvement of the Cryptocurrency wallets stealer and loader.

Again in October 2018, Palo Alto’s Unit 42 researchers discovered three new variants of AZORult trojan being used in a new attack campaign named ‘FindMyName’. These variants were delivered through Fallout Exploit kit and came equipped with advanced obfuscation techniques. One of the new variants contained features such as using a hollowing technique to develop new malware images, stealing Skype, Telegram, and email credentials, taking screenshots, stealing system information, and more.

Given the speed with which the malware’s authors are enhancing the capabilities of AZORult trojan, there is no doubt that the malware will continue to be a favorite among the hackers. Lately, the trojan was observed acting as a malware downloader for Hermes ransomware v2.1.