AZORult is a trojan malware that harvests and exfiltrates data from the compromised system. It is installed on a system via a first-stage malware, such as Seamless. The malware searches for the following information and sends it to its C2 server:
- Saved passwords, such as those from browsers, email and FTP servers;
- Cookies from browsers and forms, including autofill;
- wallet.dat files from popular bitcoin clients;
- Skype message history;
- Files from chat history;
- Desktop files;
- Files with specified extensions from Desktop and files in folders;
- List of installed programs;
- List of running processes; and
- Username, computer name, and operating system type.
In July 2018, AZORult was substantially updateded, improving both on its stealer and downloader functionality. It was immediately seen in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware. The advertisement for AZORult version 3.2 notes the following updates:
- Added stealing of history from browsers (except IE and Edge).
- Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC.
- Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works.
- Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly.
Reporting and Technical Details
- Threatstop provides technical details here.
- January 2018: AZORult is being delivered via the RIG EK and Ramnit trojan. (Malware-Traffic-Analysis)
- July 2018: New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. (Proofpoint)