The AZORult information stealer and downloader malware strain was observed by Minerva Labs' research team posing as a signed Google Update installer and achieving persistence by replacing the legitimate Google Updater program on compromised machines
AZORult is an ever-evolving data-stealing Trojan also known to act as a downloader for other malware payloads in multi-stage campaigns and previously detected as part of highly complex and large scale malicious campaigns spreading
ransomware,
data and
cryptocurrency stealing malware.
On its own, AZORult is designed to exfiltrate as much sensitive information as possible, from files, passwords, cookies, and browser history to banking credentials and cryptocurrency wallets once it successfully infects a targeted machine.
Stolen certificate used to sign the fake Google Update binary
According to Minerva Labs' Asaf Aprozper and Gal Bitensky, they received a GoogleUpdate.exe binary signed with a valid certificate from a customer which was blocked by Minerva’s Anti-Evasion Platform at launch. Everything about the GoogleUpdate.exe program pointed to it being a legitimate updater from Google, having the right icon and being signed with a non-revoked certificate.