An updated version of Azorult malware has been discovered. The most recent version of the data stealer and malware downloader has already been deployed in attacks and is being shared via the RIG exploit kit.

Azorult malware is mainly an information stealer which is used to download usernames and passwords, credit card numbers, and other data including browser histories. Newer versions of the malware have seen cryptocurrency wallet-stealing capabilities included.

Azorult malware was first spotted in 2016 by researchers at Proofpoint and has since been deployed in a large number of attacks via exploit kits and phishing email campaigns. The latter have used hyperlinks to malicious sites, or more commonly, malicious Word files with malware downloaders.

In 2016, the malware variant was first installed with the Chthonic banking Trojan, although more recent campaigns have seen Azorult malware deployed as the primary malware payload. This year has seen many different threat actors pair the information stealer with a secondary ransomware payload.

Campaigns have been noticed using Hermes and Aurora ransomware as secondary payloads. In both campaigns, the main aim is to obtain login credentials to raid bank accounts and cryptocurrency wallets. When all useful information has been taken, the ransomware is activated, and a ransom payment is requested to unlock the decrypted files.

A new version of the Azorult was distributed in July 2018 – version 3.2 – which included significant improvements to both its stealer and downloader functions.  Now Proofpoint researchers have discovered a new variant – version 3.3 – which has already been placed with RIG. The new variant was on the market shortly after the source code for the previous version was leaked online.

The new variant uses an alternative method of encryption, has improved cryptocurrency stealing functionality to permit the contents of BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore, and Exodus Eden wallets to be stolen, a new and improved loader, and a new admin panel. The latest version has a lower detection rate by AV software ensuring more installations.

The RIG exploit kit uses exploits for known flaws in Internet Explorer and Flash Player, which use JavaScript and VBScripts to download Azorult.

If your operating systems and software are always fully patched and current you will be secure from these exploit kit downloads as the vulnerabilities targeted by RIG are not new. However, many businesses are slow to apply patches, which need to be thoroughly  tested. It is therefore strongly advisable to also use a web filtering solution such as WebTitan to provide additional protection against exploit kit malware downloads. WebTitan stops end users from visiting malicious websites such as those hosting exploit kits.

The most recent version of Azorult malware was first put on sale on October 4. It is possible that other threat actors will buy the malware and distribute it via phishing emails, as was the case with older versions. It is therefore wise to also put in place an advanced spam filter and ensure that end users are shown how to recognize malicious emails.