Leading anti-phishing solution provider Cofense has detected a new AZORult phishing campaign. AZORult is an information stealer capable of stealing cookies, stored passwords, payment card information, autocomplete data stored in web browsers, Bitcoin wallet information, and email, FTP, and XMPP client credentials.
The latest campaign uses malicious email attachments to spread a new variant of the malware. Version 3 of AZORult incorporates anti-analysis safeguards and is capable of detecting if it is running in a VM or sandbox environment. The malware also has new capabilities and can taking and exfiltrate screenshots, harvest Skype and Jabber program logs and chat histories, and it now encrypts communications between an endpoint and its management panel. The latest variant of the malware also supports blockchain-based DNS infrastructure.
AZORult is being spread via phishing emails and uses a variety of techniques to download the malicious payload. Previously the threat actors behind the malware have used intermediary loaders such as Seamless and Rammnit malware to deliver AZORult. The latest campaign uses tried and tested delivery mechanisms such as the exploitation of vulnerabilities and macros – much more efficient methods of delivering the malicious payload.
Cofense notes that in contrast to many other information stealers that are persistent, this malware variant communicates with its C2 twice before deleting its own binary. This tactic helps the malware to avoid network logging systems that are not trained to look for such short-lived communication and makes it harder for incident response teams to detect.
Cofense suspects that the threat actors behind the malware will incorporate the functionality to exploit further vulnerabilities, specifically, CVE-2017-11882, CVE-2017-0199, and CVE-2017-8750.
To improve defenses against email-based attacks, companies should ensure employees are trained to recognize threats and report them to their security teams. Cofense has developed an extensive range of training content and a phishing simulation platform to make it easier for companies to train employees to become security assets.
In order to stay protected against the latest malware threats, security teams need good intelligence. Cofense has developed such a service – Cofense Intelligence – to ensure security teams have timely information about the new tactics being developed and new malware variants that are being used in real world attacks. Being forewarned is being forearmed.