Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

A new AZORult C++ variant can establish RDP connections

Experts from Kaspersky observed a new C++ version of the AZORult data stealer that implements the ability to establish RDP connections. The AZORult Trojan is one of the most popular data stealers in the Russian cybercrime underground. The AZORult stealer was first spotted in 2016 by Proofpoint that discovered it was part of a secondary […]

AZORult c++

Experts from Kaspersky observed a new C++ version of the AZORult data stealer that implements the ability to establish RDP connections.


The AZORult Trojan is one of the most popular data stealers in the Russian cybercrime underground. The AZORult stealer was first spotted in 2016 by Proofpoint that discovered it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

AZORult is able to collect targets browser history, login credentials, crypto-wallet files cookies, files from the infected systems, and more.

The malware has a relatively high price tag ($100), it supports a broad functionality (i.e. the use of .bit domains as C&C servers to protect owner anonymity and to make it difficult to block the C&C server), and has high performance.

The malware is also able to download additional payloads onto the infected machines.

The C++ version was first spotted in early March 2019, experts believe it was built by acolytes of CrydBrox, the initial AZORult author, who decided to pull the plug on it after AZORult 3.2 became too widely available.

“It appears that the acolytes of CrydBrox, the very one who pulled the plug on AZORult, decided to rewrite it in C++; this version we call AZORult++.” reads the analysis published by Kaspersky. “The presence of lines containing a path to debugging files likely indicates that the malware is still in development, since developers usually try to remove such code as soon as feasible. “

The analysis of the malware reveals that the AZORult++is affected by several issues, suggesting that the project is in the very early stages of development.

ike many other threats it first checks the language ID of the target machine and stops its execution if it identifies Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek.

This C++ version is deficient compared to AZORult 3.3, it doesn’t support stealing a feature from many of the browsers and doesn’t implement a loader functionality.
A more detailed analysis reveals that the C++ version is deficient compared to AZORult 3.3,

AZORult c++

Original AZORult 3.3 and AZORult++ uses the same algorithm for communication with the C&C server, they use the command format, the structure and method of storing harvested data, and encryption keys.

The malware maintains stolen data in RAM and does not write it to the hard disk to avoid detection.

The most concerning improvement for the C++ version is the ability to establish a remote connection to the compromised machines via RDP.

The malware creates a new, hidden administrator account on the machine, and sets a registry key to establish a Remote Desktop Protocol (RDP) connection.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop. Because AZORult++ is likely still in development, we should expect its functionality to expand and bugs to be eliminated, not to mention attempts to distribute it widely under a name that buyers will recognize,” Kaspersky concludes. 

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – AZORult, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]