Password and credit card-stealing Azorult malware adds new tricks

Malware can now steal more types of cryptocurrecny and comes with other updates, likely in response to a free version being leaked online.
Written by Danny Palmer, Senior Writer

A form of password, credit card details and cryptocurrency-stealing malware has been updated, making it even more potent for cyber criminals.

The Azorult malware has been been operating since 2016 and enables crooks to steal credentials including passwords, credit card details, browser histories and contents of cryptocurrency wallets from victims.

Now a new version of it is being advertised in an underground forum, as uncovered by researchers at tech security company Check Point, who describe it as "substantially updated".

New features include the ability to steal additional forms of crpytocurrency from the wallets of victims - BitcoinGold, electrumG, btcprivate (electrum-btcp), bitcore and Exodus Eden.

Reflecting the fast pace of malware development, the developer of Azorult also boats improvements to the cryptocurrency wallet stealer components and improvements to the loader.

Researchers also note some behind-the-scenes changes compared to previous versions of the malware, including a new encryption method to obfuscate the domain name, as well as a new key for connecting to the command and control server.

See also: What is malware? Everything you need to know about viruses, trojans and malicious software

This new version of the malware first appeared for sale on October 4 - shortly after source code for Azorult versions 3.1 and 3.2 were leaked online. Check Point has already seen the free tools being used to power Gazorp, a malware builder which allows users to essentially generate an earlier version of Azorult at no cost.

It's likely this which has spurred the author of Azorult into releasing a new and improve version of the malware for sale.

"It is plausible that the Azorult's author would like to introduce new features to the malware and make it worthy as a product in the underground market," said Israel Gubi, malware researcher at Check Point.

The latest version of Azorult is delivered through the RIG exploit kit, using uses vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, and VBscript-based attacks to distribute malware to users.

Previous versions of Azorult have also been known to be distributed via phishing emails which encourage potential victims to download a malicious Microsoft Word attachment, which when run, takes advantage of exploits in order to download and install the malware.

With Azorult seemingly reliant on known vulnerabilities to spread, users can go a long way to protect themselves from falling victim to it by ensuring they've installed the relevant software updates and patches.


Editorial standards