What Is It?
Originally discovered by researchers from Proofpoint in mid-2016, AZORult malware is an information stealer and downloader. Recently the authors released a major update that was observed being used in a large malicious spam campaign within 24 hours of the updated version becoming available.
The documentation for the new version of AZORult (v3.2) shows added features for stealing cryptocurrency wallets (including Exodus, Jaxx, Mist, Ethereum and Electrum) and exfiltrating browser histories from browsers other than Internet Explorer and Edge. The update also improves various functions on the administration panel, used by attackers to control how the malware is deployed and oversee infections. A new feature allows attackers to specify rules, such as if there are cookies or passwords related to a specific site, then download and run a specified file.
The campaign leveraging the new version of AZORult mainly targeted North American email addresses using the tried and true lure of resumes attached to job application emails. The attachments were password protected Zip files, containing Microsoft Word documents using malicious macros. The password for the Zip file was included in the body of the email, an attempt to evade anti-virus and other related detection engines.
If the email recipient opened the document and permitted the macros to run, the AZORult malware would be downloaded and executed. However, in this case, theft of the user’s credentials, browsing history, cryptocurrency wallets and other data is not the only consequence. The malware also downloads and executes a variant of Hermes ransomware, significantly compounding the impact of infection.
Malware downloading other malware is hardly a new concept, however, the combination of a data and cryptocurrency wallet stealer, immediately followed by ransomware could result in a double financial loss for the infected user and their organization.
How Does It Propagate?
The malware does not contain the necessary code to self-propagate. The attack vector in this case is a password protected Zip file attachment containing a malicious Microsoft Word document, the password is contained in the body of the email. A potential victim must be socially engineered by the content of the email to extract the document from the Zip and then allow macros to execute, a common but still all too effective technique.
When/How Did BluVector Detect It?
The malware samples related to this attack were both detected by BluVector’s patented Machine Learning Engine (MLE). Regression testing has shown the samples of AZORult malware and Hermes ransomware would both have been detected 55 months prior to their release.