Cybersecurity experts have rediscovered the eight-year-old Azorult malware, known for stealing information and harvesting sensitive data. The malware had been inactive since late 2021, prompting the question of whether this seasoned threat will adopt new tactics.
Azorult malware is a type of information-stealing malware that first emerged in 2016. Known for its capabilities to pilfer sensitive data, Azorult specializes in collecting information such as browsing history, cookies, and login credentials. Originally active in campaigns associated with the STOP/Djvu ransomware, its activity declined from early 2020, with a flat curve observed in late 2021. In its recent resurgence, Azorult has exhibited more sophisticated and stealthy methods, making it challenging to detect. The malware employs new infection chains, utilizes RAM for payload deployment, and is distributed through classic methods like email phishing.
Recent research in the cyber threat landscape has revealed troubling news about the Azorult malware. Initially identified in 2016, this malware gained notoriety, particularly for its association with the STOP/Djvu ransomware in prominent campaigns. However, its activity has been on the decline since early 2020, with the activity curve flattening out in late 2021.
As a stealer malware originating from the mid-2010s, Azorult was originally designed with functionality relevant to its time. The malware specializes in pilfering sensitive information, encompassing browsing history, cookies, and login credentials. Notably absent from its target list are crypto wallets, sessions, and 2FA tokens, as these were not as valuable during its inception.
The notable aspects of the re-emerged version include enhanced sophistication and stealthy methods that significantly increase the difficulty of detection. Introducing a new infection chain, it leverages RAM as a launchpad for deploying and executing the entire payload. Researchers discovered shortcut files disguised as PDF files, ultimately facilitating Azorult’s infiltration of the device. In terms of distribution, experts indicate the utilization of classic methods such as email phishing.
In its latest form, Azorult employs process injection and “Living Off the Land” (LotL) techniques to avoid detection by security tools. It is predominantly sold on Russian underground hacker forums, and the data it steals is auctioned on Russian Dark Web marketplaces. Apart from traditional information theft, the malware gathers data for a service selling ready-made virtual identities, encompassing detailed information about users’ online behavior, including website visits, operating system details, browser information, and installed plugins.
- Unsolicited Emails:
- Exercise skepticism and caution regarding emails from unknown sources, particularly those requesting personal information or urging you to click on a link.
- Verify Email Sources:
- Before responding or clicking any links, verify the sender’s email address to ensure legitimacy. Avoid clicking on links in emails, especially if they appear suspicious or too good to be true.
- Educate Yourself:
- Stay informed about phishing methods and various scam techniques based on phishing. Regularly educate yourself to recognize and avoid falling victim to phishing attacks.