Minerva Labs’ research team has observed a new malware that poses to be a Google Update and then breaches your data. The AZORult malware has come up as a new threat that works as an information stealer by posing itself to be a Google Update. This malware may even replace the legitimate Google Updater program on a compromised machine.
It is not the first time when a malware disguises itself to be a legit tool but there have been Trojans that work as downloader for other malware payloads in multi-stage campaigns. AZORult is known for its capability in finding and filtering maximum sensitive information from a machine, such as passwords, browsing history, cookies, cryptocurrency wallet codes etc.
Also Read : Why Say No To Reusing Passwords?
How Does AZORult Affect Your Computer and Information?
AZORult is a malware that breaches your data upon successful attack on your machine. Like other malware, its core task is to gather as much as confidential information from your machine as possible. Now that this malware poses to be a legit executable file, it uses multiple ways in keeping you in a delusion for it to be a legit program.
Fake/Stolen Certificate: According to Asaf Aprozper and Gal Bitensky at Minerva Labs’, they got a GoogleUpdate.exe binary file, which was signed with a legit certificate from a customer. However, it appeared to be blocked at launch by Minerva’s Anti-Evasion Platform. Upon checking, everything about the GoogleUpdate.exe appeared to be valid and it was carrying the same icon and a non-revoked certificate as of a legitimate updater from Google.
When the team deeply investigated the file, they were able to point that the binary of that exe was actually signed with a certificate, which was issued to some ‘Content Design’ company instead of Google.
Obtaining Persistency and Admin Rights via Impostering: Now that the malware was already in the system, the team took a deeper look into the matter to find out that the malware containing fake GoogleUpdate binary, was actually AZ ORult Trojan. The conclusion was based upon various patterns that include an HTTP POST request to a /index.php it created, using .bit domain (for DNS over blockchain), and using the Mozilla40 User-Agent that all Azorult infections use.
The conclusion set by researchers was later validated after the result came up from Intezer and VirusTotal malware analysis report over the malware sample produced before them for in-depth analysis. Now that this AZORult can effortlessly replace the Google’s Update program, it is capable of achieving persistency without the need of altering the Windows registry or executing any scheduled tasks of its own.
Overall, malware attacks are not new to technology and require sincere attention. Especially, when your machine contains confidential and financial information. You may also practice safe browsing and avoid threats like these up to a significant level. However, getting a dedicated antimalware tool can reduce the risk of getting AZORult to minimum. If you doubt having such malware on your machine, it is time you diagnose it to save your data. In case you wish to share some tips and tricks, do leave a comment below.