A malicious build-it-yourself platform for the Azorult info-stealing malware has debuted on the Dark Web.
The online builder, which its authors have named Gazorp, allows cybercriminals to generate their very own strains of Azorult, along with the apparatus to control it. And, it’s free.
“Threat actors [gain] the ability to create fresh Azorult samples and corresponding panel server code, leaving them simply to provide their Command & Control (C&C) address,” wrote Check Point researchers Nikita Fokin, Israel Gubi and Mark Lechtik, in a posting last week on the generator. “This address gets embedded into the newly created binary, which in turn can be distributed in any way the threat actor sees fit.”
Check Point researchers took the platform for a test-drive and found that Gazorp does, indeed, perform as advertised, “effectively” creating samples of Azorult version 3.0.
Azorult is a fairly popular commercial malware, which is used for harvesting various kinds of information, including passwords, credit-card information, cryptocurrency wallet data and more. It also can download additional malware. It’s been around since at least 2016, when Proofpoint researchers identified it as part of a secondary infection via the Chthonic banking trojan.
Azorult 3.0 debuted five months ago, and while there have been two subsequent versions released into the wild since then with major improvements, “the outdated version has multiple stealing capabilities which can be leveraged by any actor to gather victim information and misuse it,” the Check Point team noted.
The researchers added that the Gazorp platform claims to offer multiple upgrades and enhancements to the Azorult’s existing leaked C2 panel code, which was uploaded to Github a few months ago.
Check Point said that Gazorp offers “major differences and additions” from the leaked source panel in Gazorp, with a main enhancement being a global heat map that provides statistics by country.
Gazorp is also in active development, and its creators are taking a hacker community-minded approach to the proceedings. The service has its own Telegram channel, where interested parties can get updates on the project and weigh in with their own ideas. So far, the Gazorp authors have promised future extensibility with a “modules” library, and features like the ability to configure the panel and export the various databases to a file.
“For now, it seems we are looking at a very early version of the Gazorp service (0.1), where the main product delivered is an enhanced Azorult C&C panel code,” researchers said. “However, we do expect the project to evolve with time, and possibly produce new variants for Azorult.”
As for monetization, the public can also donate to the project with Bitcoin. There are no fees to use Gazorp – further lowering the barrier to entry for cybercriminals.
“Given that the service is free, it is…possible that new campaigns with Gazorp built binaries will start to emerge in higher scale in the wild,” the researchers said.