An updated version of the AZORult spyware has been sighted as the payload in a large spam campaign – just one day after debuting on the Dark Web.
AZORult steals information and can download additional malware; it’s been around since at least 2016, when Proofpoint researchers identified it as part of a secondary infection via the
Chthonic banking trojan. It’s become fairly common in a range of malspam attacks since then, the firm noted – but the authors have now released what researchers termed in a Monday
posting “a substantially updated version.”
The upgraded code has a raft of sophisticated improvements, including the ability to steal histories from non-Microsoft browsers, a conditional loader that checks certain parameters before running the full malware; support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets; the ability to use system proxies; and a few administrative tweaks, like location awareness and the ability to more easily delete spy reports that don’t have useful information.
