Wasting little time, cyber-criminals began using a significantly updated version of the AZORult information stealer and downloader in an email phishing campaign just one day after the upgrade materialised on dark web underground forums on 17 July.
Proofpoint researchers have observed the new model, version 3.2, attempting to spread Hermes ransomware version 2.1 in the wild while also exfiltrating victim data and credentials. Moreover, the malware boasts improved stealing and loading capabilities, as well as support for various cryptocurrency wallets.
Such functionalities include the ability to "steal histories from non-Microsoft browsers; a conditional loader that checks certain parameters [including cookies and cryptocurrency wallets] before running the full malware; support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets; the ability to use system proxies; and a few administrative tweaks, like location awareness and the ability to more easily delete spy reports that don't have useful information," Proofpoint reported in a blog post yesterday. The malware authors also updated AZORult's command-and-control communications protocol.
The 18 July operation that leveraged the new-and-improved AZORult reportedly sent North American recipients thousands of emails bearing subject lines related to employment such as "About a role" and "Job Application." An email sample that Proofpoint analysed included a message in the body that read, "My name is Napoleon and I'm interested in a job. I've attached a copy of my resume. The password is 789".
For the campaign to succeed, the potential victim must perform two tasks: open the password-protected document using the provided credentials, and enable embedded macros, which download AZORult 3.2.
Proofpoint has attributed the campaign to an actor it identifies as TA516, which has previously used similar tactics in order to distribute banking trojans and Monero miners. "Improved means of stealing cryptocurrency wallets and credentials in the new version of AZORult might also provide a connection to TA516's demonstrated interests in cryptocurrencies," states Proofpoint, which notes that AZORult has existed since at least 2016.
"It is always interesting to see malware campaigns where both a stealer and ransomware are present, as this is less common, and especially disruptive for recipients who initially may have credentials, cryptocurrency wallets, and more stolen before losing access to their files in a subsequent ransomware attack," the blog post states.