After analyzing several previously unknown malicious files that were detected earlier this month, Kaspersky Lab determined the files were a new version of a data stealer known as the AZORult Trojan. Because the files are written in C++, and not Delphi, researchers have dubbed the variant AZORult++.

According to researchers, this latest version is potentially more dangerous than earlier variants. In addition to amassing data – including credentials, browser history and cookies – and distributing it to command-and-control (C&C) servers, AZORult++ can also establish a remote desktop connection by creating a new user account and discreetly adding it to the administrators’ group.

The data stealer is reportedly used most often to target victims in Russia and India, according to analysis. “AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing,” wrote Alexander Eremin.

AZORult++ does not have loader functionality or support for stealing saved passwords. Though the C++ version has been deemed deficient when compared to its predecessors, it does have some of the same signatures recognized in the Delphi-based version.

“Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3,” Eremin wrote.

“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” Eremin said.

Because the variant has undergone several changes to functionality, researchers believe that this data stealer is still in development, and that we can expect to see an expansion of its functionality and attempts to widen its distribution.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!