Experts observed the STOP ransomware installing the Azorult password-stealing Trojan to steal account credentials, cryptocurrency wallets, and more.

The STOP ransomware made the headlines because it is installing password-stealing Trojans on the victims’ machines.

Experts observed the ransomware also installing the dreaded Azorult password-stealing Trojan on victim’s machine to steal account credentials, cryptocurrency wallets, documents and more.

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only in July 2018, the authors released a substantially updated variant.

In July, the experts discovered a new sophisticated version of the AZORult Spyware that was involved in a large email campaign on July 18. In October a new version of the info-stealer appeared in the wild, it is able to steal more data, including other types of cryptocurrencies

The STOP Ransomware was first spotted in January when he was being distributed by fake software cracks in January,

The popular malware researcher Michael Gillespie observed that some recent variants of the ransomare were generating traffic to infrastructure previously associated with the Azorul infection.

STOP Ransomware Installing Password Stealing Trojans on Victims – by @LawrenceAbramshttps://t.co/HarEzOpVvt — BleepingComputer (@BleepinComputer) March 10, 2019

“When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim’s computer.” reads a blog post published by Bleepingcomputer.

“These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows’s HOSTS file.”

One of the variants analyzed by BleepingComputer encrypts data and appends the .promorad extension to encrypted files, then it creates ransom notes named _readme.txt as shown below.

The Promorad Ransomware variant samples tested by the experts also download a file named 5.exe and executed it. Once executed it attempt to communicate with C2 servers also associated with the Azorult Trojan.

Experts recommend victims who have been infected with the STOP Ransomware to immediately change the passwords to any online accounts that they used.

“Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.” concludes BleepingComputer.

The known list of STOP ransomware extensions includes:

.blower .djvu .infowait .promok .promorad2 .promos .promoz .puma .rumba .tro

Pierluigi Paganini

( SecurityAffairs – STOP ransomare , malware)

Share this...

Linkedin Reddit Pinterest

Share On