After analyzing several previously unknown malicious files that were detected earlier this month, Kaspersky Lab determined the files were a new version of a data stealer known as the AZORult Trojan. Because the files are written in C++, and not Delphi, researchers have dubbed the variant AZORult++.
According to researchers, this latest version is potentially more dangerous than earlier variants. In addition to amassing data – including credentials, browser history and cookies – and distributing it to command-and-control (C&C) servers, AZORult++ can also establish a remote desktop connection by creating a new user account and discreetly adding it to the administrators’ group.
The data stealer is reportedly used most often to target victims in Russia and India, according to analysis. “AZORult++ starts out by checking the language ID through a call to the GetUserDefaultLangID() function. If AZORult++ is running on a system where the language is identified as Russian, Armenian, Azerbaijani, Belarusian, Georgian, Kazakh, Tajik, Turkmen, or Uzbek, the malware stops executing,” wrote Alexander Eremin.
AZORult++ does not have loader functionality or support for stealing saved passwords. Though the C++ version has been deemed deficient when compared to its predecessors, it does have some of the same signatures recognized in the Delphi-based version.
“Like AZORult 3.3, AZORult++ uses an XOR operation with a 3-byte key to encrypt data sent to the C&C server. What’s more, this key we had already encountered in various modifications of version 3.3,” Eremin wrote.
“Despite its many flaws, the C++ version is already more threatening than its predecessor due to the ability to establish a remote connection to the desktop,” Eremin said.
Because the variant has undergone several changes to functionality, researchers believe that this data stealer is still in development, and that we can expect to see an expansion of its functionality and attempts to widen its distribution.