Malware Stealing Credentials via Office Documents



Recently the threat actors in charge of the AZORult malware released a refreshed variant with upgrades on both the stealer and the downloader functionalities. This was altogether done within a day after the new version had released a dark web user AZORult in a large Email campaign to circulate the Hermes ransomware.

The new campaign with the updated adaptation of AZORult is in charge of conveying thousands of messages focusing on North America with subjects, such as, "About a role" or "Job Application" and even contains the weaponized office document "firstname.surname_resume.doc” attached to it.




Researchers said, “The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes.”

Attackers have made use of the password-protected documents keeping in mind the end goal to avoid the antivirus detections. Once the client enters the password for documents, it requests to enable macros which thusly download the AZORult, and at that point it connects with the C&C server from the already infected machine and the C&C server responds with the XOR-encoded 3-byte key. 

Finally after exfiltrating stolen credentials from the infected machine, it additionally downloads the Hermes 2.1 ransomware.

Security analysts from Proofpoint even recognized the new version (3.2) of AZORult malware publicized in the underground forum with full changelog.

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]Com/soft.exe. Also, there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase

As indicated by the scientists, the malware campaign contains both the password stealer as well as the ransomware, which is astounding on the grounds that it is not so common to see both. Therefore, before causing a ransomware attack, the stealer would check for cryptocurrency wallets and steal the accreditations before the files are encrypted.


An Experimental Form of Android Malware Delivers a Banking Trojan, a Keylogger and Ransomware




An experimental form of Android malware, which was first considered to be an updated version of Lokibot, is known to convey a banking Trojan, a keylogger and ransomware to those most likely to succumb to it.

It is said to contain a couple of new features that the specialists are naming it as a yet another type of malware - MysteryBot.

The MysteryBot and the LokiBot are referred to share the same command as well as the control server which in this way shows an already established strong link between these two types of malware, with the potential that they've been produced by the same attacker.

"The enhanced overlay attacks also running on the latest Android versions combined with advanced keylogging and the potential under-development features will allow MysteryBot to harvest a broad set of personal identifiable information in order to perform fraud," wrote researchers.

While the MysteryBot is well equipped for performing various pernicious exercises, like making a phone call, stealing contact information, forwarding the incoming calls to another device, setting the keylogger, it is also capable of encoding the files possessed by the device and erases all contact information on the device.

It has the ability to effectively target Android versions 7 and 8 utilizing overlay screens intended to look like genuine bank websites, while numerous other Android malware families are focusing on attacking the older variants of the Google operating system.

Is additionally said to use a somewhat complex keylogging functionality that was never known and it supposedly employees two other banking Trojan's keylogging Module (CryEye and Anubis) to abuse the Android Accessibility service.

Be that as it may, notwithstanding a portion of the abilities of MysteryBot presently being underdeveloped, the malware is as yet a potential danger.


MysteryBot isn't at present widespread and is still being worked on, however it is recommended that the users ought to be careful about any applications they download which requests an over the top number of authorizations.


Ransomware Attack from Russian IP’s jeopardizes the Victims and Locks Their PC’s



A Newfound Ransomware by the name of Sigma is known to be spreading from Russia-based IP's with the assortment of social engineering procedures in order to jeopardize the victims and lock the contagion computer.

User's that were targeted on through the malignant SPAM Messages that contained a proclamation originated from the "United States District Court" with a pernicious attachment.


Presently the attackers utilizing the Email scam so as to make sure that the targeted victims perform the diverse malicious activities all the while manipulating the user by some emergency strings of dread and giving rise to the victim’s inquisitiveness.The Sigma Ransomware Attack directed from around 32 Russian based IP's and the attacker enlisted in the particular domain which is specifically utilized to perform different attacks.

The creators of the Malware utilized more obfuscation works by asking for the password to open the file and avoid the discovery.At first, the malignant documents required a password to open since it tricks the user to download the attachment that ought to be protected since the mail is originated from the court.

In the event that it finds that the Macros are turned off on the victim's machine then it further convinces the users to turn it on which contains malevolent VBScript.

Then, the VBScript will download the first Sigma Ransomware payload from the attack summon, control server and save it in the %TEMP% folder.Downloaded malware emulates as a legit svchost.exe process which assists in downloading an additional malware.

The Malware utilized a variety of obscurity strategy to conceal it and sidestep the discovery and it revokes itself on the off chance that it finds any virtual machine or sandboxes present.

 "Looking with malware so complex on the sides, social engineering traps and technical design is a challenge hard even for even security-mindful users," says Fatih Orhan, the Head of Comodo Threat Research Labs.

As indicated by the Comodo Research, uncommon to a portion of its ransomware relatives, Sigma does not act promptly but rather sneaks and makes secretive observations first. It makes a rundown of important documents, checks them and sends this incentive to its C&C server alongside other data 
about the victim's machine.

Likewise if the sigma Ransomware finds no files then it erases itself and it stops the infection in the event that it finds the country location of Russian Alliance or Ukraine. Later it associates with its order and control servers and builds up the Tor Connection and Sigma Ransomware begins to encode documents on the machine.

After the complete encryption, it will show the ransom notes of that contains the definite and detailed data of the attack and the request of the attack to the victims   to get in touch with them by means of sigmacs@protonmail.com and furthermore mentioning the infection ID.

Additionally, the attack demands the payoff sum through bitcoin and the cost will be settled in view of how instantly the victims contact to the attack.