An undated strain of Azorult malware has been discovered which downloader has already been used in attacks and is being shared using the RIG exploit kit.

Azorult malware is mainly an information gatherer which is used to obtain usernames and passwords, credit card details, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first discovered in 2016 by researchers at Proofpoint and has since been utilized in a large number of attacks through exploit kits and phishing email campaigns. The latter have used links to malicious sites, or more typically, malicious Word files including malware downloaders.

Back in 2016, the malware variant was first installed in tandem with the Chthonic banking Trojan, although later campaigns have seen Azorult malware deployed as the primary malware payload. 2018 has seen multiple threat actors pair the information stealer with an accompanying ransomware payload.

Campaigns have been identified using Hermes and Aurora ransomware as secondary payloads. In both attacks, the initial target is to steal login details to raid bank accounts and cryptocurrency wallets. When all useful data has been obtained, the ransomware is enabled, and a ransom payment is requested in order to decrypted files.

A new strain of the Azorult was issued in July 2018 – version 3.2 – which contained major improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been included with RIG. The new variant was released just after the source code for the previous version was leaked on the Internet.

The new variant uses an alternative method of encryption, has enhanced cryptocurrency stealing functionality to allow the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be obtained, a new and improved loader and an updated admin panel. The latest version is more difficult for AV software to notice ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to install Azorult.

If your operating systems and software are kept fully updated you will be safeguarded against these exploit kit downloads as the vulnerabilities exploited by RIG are not new. However, many businesses are slow to apply patches, which need to be extensively tested. It is therefore important to also deploy a web filtering solution.