LTS Secure Warning: Information Leaking Trojan Adds New Tricks To Further Improve its Impact

We have seen previously that AZORult trojan was spreading widely and now it is back again, posing as a signed Google Update installer which is written in C++. AZORult is basically designed to harvest sensitive information as much as possible like important information and data from files, cookies and history of browsers, Passwords, Banking credentials, information and credentials of Cryptocurrency wallets, altering the Windows registry after it successfully infected the victim device.

AZORult makes use of the GoogleUpdate.exe file to inject itself into the victim device, where the name looks legitimate “Google Update Installer file” and the logo also looks like the same but it has a different Digital Signature. The trojan then replaces the legitimate Google updater and gets the administrative privileges. The most dangerous thing about it is that it looks like a genuine Google updater and makes it difficult for anti-malwares software’s to find any difference and stop the malware.

This trojan is initiated by distributing documents that contain either one of the following CVE’s:

  • CVE-2017-11882
  • CVE-2017-8759
  • CVE-2017-0199

 

Technical Details

Once infected it starts the following tasks:

  • GoogleUpdateTaskMachineCore – runs at login and once a day
  • GoogleUpdateTaskMachineUA – run only once a day

It then alters the following registry values:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdatem\ImagePath
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gupdate\ImagePath

The trojan was also used in many high level and successful phishing attacks on few government services from all over the world which was able to steal around 40,000 login details.

 

Impact

  • It affects your System Performance.
  • It will steal your credentials/confidential data and sends to the remote attacker.
  • Banking as well as other important credential could be at higher risk.
  • Browser and Windows registry settings can be changed.

 

Recommended Actions

  • Always update your anti-malware software with the latest release.
  • Try to avoid visiting untrusted websites and clicking on unknown sources links.
  • Run a periodic Full system scan.