Enhanced AZORult Stealer is the driving force behind new ransomware spam email campaign

Enhanced AZORult Stealer is the driving force behind new ransomware spam email campaign

Cybercriminals never let up and always try to invent new ways of making money at someone else’s expense. Ransomware distribution through spam emails is one of their golden mines – such methods are often successful and allow them to infiltrate computers with relative ease. A new campaign has come under attention from security researchers – it employs an updated version of malware downloader AZORult Stealer to spread the Hermes ransomware. It all began on July 17, 2018 when the downloader got an update – things unraveled quick after that. The campaign was underway the next day and was reported on by the security firm, ProofPoint. Users from North America were its target.

The researchers say that a con artist known under a name of TA516 is very likely to be the person behind the attack, as he was very active in leveraging this kind of ransomware since 2017. The new campaign has an employment-related theme to it and emails are disguised as job applications and requests for employment information. In some instances, they may claim to contain the invoice for an outstanding payment, having the subject of “Invoice Due” and saying that there’s an outstanding balance. They also carry a password-protected attachment in them which follows the template of “firstname.surname_resume.doc” (or “Invoice.doc”, depending on the variation of the attack). The attachment itself isn’t harmful in any way and, in most cases, it allows it to go unnoticed by security software. As soon as the password which is contained in the email itself is entered (it may be as simple as 1234), however, it’s a different story. The document requires the user to enable macros. Once he does that, scripts that download AZORult are executed. After that, the Hermes 2.1 ransomware (hrms.exe) is downloaded and ran. The files are then encrypted and, unlike many other threats of this kind, there aren’t any new extensions appended. The infiltration can be recognized by the “DECRYPT_INFORMATION.html” ransom note which is displayed when all of the targeted data has been encrypted.

The reason why AZORult remains a persistent problem for companies is pretty straightforward – its code receives regular updates and that makes it harder for security software to deflect its attacks. Per ProofPoint, the capability of stealing history from Internet browsers, detecting cryptocurrency wallets and using system proxies for connection is included in version 3.2 and that’s a sure recipe for disaster. And possible troubles don’t end here – AZORult also supports unlimited loader links, which lets cybercriminals specify how the loader works, for example, make it download cookies or saved passwords for certain webpages.

Plus, the way that AZORult steals information and puts ransomware on the device is less conventional than usual. This has a certain downside for con artists, making it easier for security software to detect their deeds. If they’re successful, however, targeted computers become more vulnerable to subsequent ransomware attacks and there’s also a risk of sensitive data being stolen from them. And speaking of current Hermes attack, there’s a huge demand for it, as thousands of spam emails have already been created and distributed.

That’s why it’s very important to pay close attention to system security and raise awareness among employees. For this, IBM security professionals recommend conducting phishing simulations, with IT teams drafting mock attacks and sending them to users across the firm. The information on the results should then be collected and studied to determine further actions. Employees should also report their findings to IT teams and not treat them as something insignificant – this might help to prevent a more damaging attack.

Integral cybersecurity culture that extends to end users should also be developed. It needs to be included in business processes and shouldn’t be looked at as an afterthought. The Internet has turned into important part of day-to-day operations and protecting them from attacks is necessary to avoid disrupting them. Collaboration on cybersecurity should be encouraged across different departments and the concept of shared responsibility for IT security should be promoted. Plus, employees shouldn’t open unknown attachments unless they’re expecting them from the sender and the sender has confirmed that he/she had actually sent it. If this isn’t done, the consequences may be terrible and huge damages for the company are very likely to follow. This isn’t the type of scenario that should be allowed to unfold, and the more attention is paid to cybersecurity, the lesser the chances of successful attacks are.


Please enter your comment!
Please enter your name here