Researchers at Minerva Labs have identified a new AZORult Trojan campaign that installs the malware through a fake Google update installer.
The AZORult Trojan is an information stealer that can obtain system information, cookies, passwords stored in browsers, browser histories, information from saved files, banking credentials, and cryptocurrency wallets. The malware is also used as a downloader of other malware variants and is constantly being redeveloped to evade detection and add new functionality.
The AZORult Trojan has been used in numerous recent campaigns to steal sensitive information and install a range of different malware variants, including ransomware, data stealers, and cryptocurrency miners. The malware was also recently used in attacks on government agencies that resulted in the theft of over 40,000 login credentials.
The Minerva Labs researchers discovered the campaign when it was blocked on one of its customer’s devices. The Google update installer used in the campaign appeared to be legitimate and had the correct icon and had been signed with a valid certificate. However, the certificate had been issued to Singh Agile Content Design Limited, rather than Google, confirming it was a fake. A high percentage of users who encounter this campaign would be unlikely to check the details of the digital signature and would be unaware that malware had been installed.
According to the researchers, the certificate has been used to sign over 100 binaries since it was issued on November 19, 2018. All of those binaries have been disguised as a Google update installer. An analysis of the GoogleUpdate binary revealed it included the AZORult Trojan.
Once installed, the AZORult Trojan is allowed to run with administrator privileges and uses a stealthy mechanism to achieve persistence. The fake GoogleUpdate.exe program is loaded into the C:\Program Files\Google\Update\ folder and essentially replaces the legitimate GoogleUpdate.exe program without altering the registry. The Google update mechanism ensures the fake updater is run at least once a day without the attackers having to schedule any tasks to execute the malware.
The researchers note that malware impersonating legitimate programs is nothing new, although this is the first time that the technique has been used with the AZORult Trojan.