AZORult++ Trojan
Kaspersky Lab published an analysis of an Azorult variant written in C++, which they have named “Azorult++”. We reported on the original Azorult trojan back in July 2018 here.
At the end of 2018, the main seller of the Azorult Trojan, originally written in Delphi, stopped sales likely due to the public availability of the code. However, Kaspersky Lab recently obtained a sample of what appears to be an early version of a C++ variant of the Trojan.
Like the original Azorult Trojan, this variant has the ability to gather browser history, cookies, files, cryptowallet information, and more from a victim host and send the data to a C2 server. However, unlike previous versions, there is no functionality for stealing saved passwords or acting as a loader for additional malware. The data that is stolen is gathered in RAM instead of writing to the hard drive and sent to the C2 server via similar methods to its predecessor.
Although some functionality was lost in this new version, the ability to create a remote desktop session was added, posing a potentially greater risk than before. The Azorult Trojan creates a user account, adds it to the administrators group, allows RDP on the host via the registry, and uses ShellExecuteW() to open the port for remote connections. Kaspersky notes that the obtained sample appears to be a development version, so more functionality may be added prior to wider distribution.
Kaspersky Lab products detect the stealer as Trojan-PSW.Win32.Azorult.
Geographical distribution of attacks during the period from 12.12.17 – 12.12.18 via kaspersky.com
Indicators of Compromise
URLs
- http://ravor.ac.ug
- http://daticho.ac.ug
MD5
- 08eb8f2e441c26443eb9abe5a93cd942
- 5b26880f80a00397bc379caf5cadc564
- b0ec3e594d20b9d38cc8591baff0148b
- fe8938f0baaf90516a90610f6e210484
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.