AZORult Comes Back Under the Cloak of Google Update Installer

Delaware, USA – January 30, 2019 – The activity of the updated version of AZORult trojan was noticed in the wild again, the Minerva Lab’s research team informs. The malware is masquerading to be an authentic Google Update installer and once it contaminates a victim machine it replaces a legitimate Google Updater. The replacing malicious .exe file looks head-to-toe a Google program signed with a valid certificate and has a proper icon. It could have been perfect ransomware, sensitive data, and cryptocurrency exfiltration tool if it hadn’t been for its certificate issued to “Singh Agile Content Design Limited”.

The forged executable contained a binary which was instrumental in the AZORult identification, namely Mozilla User Agent which is typical of this malware as well as /index.php request from HTTP POST and using .bit domain. The examined sample of AZORult hides in C:\Program Files that enables it scheduling tasks and gaining administrative privileges without modifying any parameters and running as a legitimate process. This technique is not a new one, it was used in MuddyWater APT campaign in year 2019 already, but still there is no evident proof to link AZORult to this group. Prevent compromising your infrastructure machines and keep sensitive information safe with AZORult Stealer Detector Rules:
https://tdm.socprime.com/tdm/info/1380/
https://tdm.socprime.com/tdm/info/1381/