Heard of Azorult? Well, it’s a form of information-stealing malware with multiple features, including the ability to download even more malware from its command and control servers. Think of it like a Swiss Army Knife for cyber attackers—the little tool that does everything. Azorult was first spotted in early January 2018, although it may have been discovered sooner around August 2017, if indeed it was the exploit kit used in the “ngay campaign” that was originally observed by Nao_Sec—you know, the malvertizing chain that functions as an exploit kit to deliver its nasty payloads.
What is an exploit kit?
It is simply a collection of exploits—a means for malware and other cyber attacks to use vulnerabilities in order to harm their targets. Vulnerabilities in software get discovered and patched all of the time in operating systems, applications, and also in firmware. A patched vulnerability shouldn’t be exploitable, and it can be a lot of work to find new exploits. When exploit kits are distributed on the Dark Web for cyber attackers, it makes their work easier. One such exploit kit to recently emerge is the RIG exploit kit. Azorult malware has been found to be distributed through that kit. So as new exploits are added to RIG, Azorult can strike those too.
Here’s what security researchers have to say about it:
“RIG has been found to use SWF, TXT, and EXE files. The SWF format was developed for Adobe Flash, TXT are simple text files, and EXE files are of course Windows executables. RIG takes advantage of compromised web pages, so RIG exploits may affect your Windows computer as you surf the web. Running Flash in your web browser can make your computer especially vulnerable.”
All about Azorult
As previously mentioned, Azorult is mainly distributed through the RIG exploit kit, stealing information from infected computers and uploading it to its command and control servers. That’s how the cyber attackers acquire your sensitive data. These are the types of information the earliest version of Azorult was designed to steal:
- Web browser cookies and cookies from web form data
- Saved passwords from web browsers, email, FTP, and IM programs
- OS account usernames, computer names, OS versions, and RAM information
- Wallet.dat files from cryptocurrency wallets, such as for Bitcoin and Litecoin
- A list of installed applications
- A list of running processes
- Skype message history
- Desktop files
So, on a consumer Windows PC, that’s pretty much the most sensitive data. A cyber attacker can use the data to log into your online services; access your email; log into your social networking accounts; access any cryptocurrency wallets you may have; see what you’ve been privately communicating with people; and understand how to further attack your computer by knowing the exact Windows version and which processes are usually running.
Fileless malware usually injects itself into processes running in your computer’s RAM, which means malware your antivirus software probably won’t detect can be deployed with that information! Then of course, Azorult can download more malware onto your computer from its command and control servers, making matters even worse.
What’s new with Azorult?
By July 2018, a new version of Azorult emerged called Azorult 3.2. — and this version was better than ever for cyber attackers. It’s stealthier, so it can evade antivirus detection even better, not to mention its malware downloader was also improved. This new version of Azorult was spotted through an email campaign in order to distribute Hermes ransomware. Its newly advertised features included the ability to steal web browsing history from major browsers, support for Exodus, Jaxx, Mist, Ethereum, Electrum, and Electrum-LTC cryptocurrency wallets, an improved downloader with unlimited links which can be tweaked by the cyber attacker, and an improved data stealer which can use proxy servers and networks. That is how Azorult 3.2 has been advertised on the Dark Web for anyone to buy.
And in October of 2018, just a short time ago, an even newer version of Azorult was discovered. Malware researchers wrote, “Azorult is a long-known information stealer and malware downloader, with this particular version being advertised in an underground forum since October 4. The version number given to it by its authors is 3.3.”
They went to on to say, “There are quite a few changes in this newly witnessed variant, the most prominent ones being a new encryption method of the embedded C&C (command and control) domain string, a new connection method to the C&C and improvement of the cryptocurrency wallets stealer and loader. The timing of this update to the malware is not surprising, mainly in light of major leaks for previous versions 3.1 and 3.2, in which panel source code and binary builders were released for the public to use for free.”
Imagine all of the good and useful applications you could buy from the Microsoft Store in Windows 8 and Windows 10. Productivity applications, games, antivirus software, helpful utilities, the list goes on. Now imagine instead of features like “compose spreadsheets, design presentations, defrag your hard drive, prevent malware,” you read about features like “web browser cookie stealer, cryptocurrency wallet stealer, malware downloader, password grabber.” You won’t find that in the Microsoft Store; you’ll find it in the Dark Web forums where cyber attackers use digital coin to buy naughty software. And like non-malicious software developers, malicious software developers must make their applications better so people will want to keep on buying them. Begs the question—what on earth will Azorult 4 look like?