Credential-Stealing Malware Azorult Gets an Upgrade


Ted McKendall

Last month, it was reported that Azorult – a credential-stealing malware that targets endpoints (home desktops and laptop computers) and specialises in stealing passwords, credit card details, and cryptocurrency wallets – has been “substantially updated” with enhanced features for cyber criminals. This new strain of the malware serves to remind us that cybercrime is a business and we need to update our tactics as quickly as the criminals do.


Uncovered by Check Point researchers, Azorult’s new features include the ability to steal additional forms of tokens from cryptocurrency wallets – including BitcoinGold, electrumG, btcprivate, bitcore and Exodus Eden. Other advertised updates include improvements to the wallet stealing components and an improved admin portal.


First coming to light in 2016, Azorult has had many updates in its two-year life cycle – the last identified as recently as July this year. However, this latest version of Azorult comes just weeks after the source code for previous versions (3.1 and 3.2) were leaked online – essentially making them unattractive for the developer. It is therefore likely that the current updates are to help monetize the malware once more.


This new release gives us an insight into the workings of the criminal underground and again reminds us that cybercrime is run like the business that it is. Similar to a technology vendor periodically updating their solution to add new features and put themselves ahead of the competition, the vendors providing software products to cyber criminals work in exactly the same way. They also advertise online (although in different forums) and clearly exalt new features that aren’t too different from a tech vendor’s – such as a more user-friendly admin portal.


While the idea of a criminal focusing on something as trivial as customer experience may seem humorous, it is actually anything but. The idea of criminals rolling out updated strains of malware quarterly to bypass the latest security techniques should actually send a shiver down our spines.



Protect Against Quickly Evolving Malware

The latest version of Azorult exploits vulnerabilities in Internet Explorer and Flash Player to launch JavaScript, Flash, and VBscript-based attacks and distribute malware to users. This means it is reliant on known-vulnerabilities to spread, so users should be safe if they have applied the relevant software updates and security patches. Users should also practice good email hygiene, as previous versions of the malware have been distributed through malicious Microsoft Word attachments in phishing emails.


However, the security community has been telling users to update their systems quickly and not click on unknown email attachments for years – it’s unlikely that today is the day they are going to listen. Frankly, banks, e-commerce companies and cryptocurrency wallets shouldn’t rely on their customers to protect themselves from credential-stealing malware. These parties are at risk and suffer heavy losses if a hacker drains the user’s account. They have to take responsibility for protecting their customers. Since the criminals update their solutions and methods regularly, enterprises and the cyber security community have to as well.


Trusted Knight has developed Protector Air – a technique of agentless malware protection for website customers, that prevents credential fraud. This means that whether your customers’ computers are infected with endpoint malware such as Azorult or not (and undoubtedly many will be) – their credentials cannot be stolen, because they are protected at the point of the web page request. Any data attempting to be sent to a criminal-owned C&C is automatically encrypted, and rendered useless to the criminal. Our approach with Protector Air is also resistant to the cat and mouse game that typifies the security industry. Instead of developing a solution that the criminals will find a way to defeat or circumvent in short order, Protector Air addresses the fundamental techniques employed by the malware and therefore remains effective at stopping fraud.


To find out more about how our patented Protected Air technology works,

Click here