All of you must have heard the word ‘Malware’, a malicious software or content dropped in your system to infect it and make it dysfunctional.
But, what’s new?
Malware is coded by hackers and dropped in system through some third-party app or software or maybe through phishing links.
However, it will be much easier for hackers or for the people, who are willing to do so, because now there are malware builders, which help attackers in creating a malware.
Similarly, a new malware builder was discovered by researchers at Check Point. An online builder dubbed as ‘Gazorp’, which is hosted on dark web.
How Gazorp Help Attackers?
It’s a builder for designing binaries, for a malware such as AZORult.
AZORult is an information stealer that is capable of stealing information like, user passwords, credit card information, cryptocurrency related data and more.
The Gazorp builder is available for free to hackers. It helps authors to create fresh new binaries of AZORult and panel server code, after which authors just have to provide with their corresponding command & control (C&C) address.
As soon as they provide C&C server address, it is fixed with the new created sample binary that can be distributed and used whatever way the actor likes it.
According to researchers, it effectively can generate sample of AZORult version 3.0 that was in the market almost five months ago.
And in the last 5 months, it has been updated twice to versions 3.0 & 3.2 respectively, which are said to be built by Gazorp. The outdated versions of AZORult have several info stealing capabilities, but still multiple upgrades enhance malware code and makes it stronger than before.
Also Read : Malware: Too Sassy For Cybersecurity!
Distinctive Features of AZORult Generated by Gazorp:
As researchers said, Gazorp is capable of building duplicates of AZORult version 3.0, but it is not completely similar, it has some distinctive features when compared to original one. Let’s take a look at the features of AZORult generated by Gazorp that are distinctive from the original one.
1. It has a unique mutex that is created at the beginning of execution. Mutex is a concatenation and join of authorities of user (A-admin, U-user, S-system, G-guest) and the string “d48qw4d6wq84d56as”.
2. It encrypts and secures its connection with C2 server by using XOR method with a key hardcoded inside the file. AZORult version 3.0 by Gazorp has the same; it also comes with key that is 0xfe, 0x29, 0x36.
3. The message returned from C2 server comes with tags, which in version 3.0 are as follows:
The values between the tags are de-coded with Base64.
What’s the Strategy Behind Gazorp?
Timing is what Gazorp creators had in mind, it’s all about timing and strategy. It came to notice after leaked code of AZORult’s panel for version 3.1 and 3.2 respectively.
The leaked code allows actors to host an C&C panel without any efforts, it’s made that easy and simple. It contains a builder for latest version, which is not offered with original version.
Online builder is linked to Telegram channel, which displays all the activities carried out by the attackers, so that everyone know what’s cooking. Also, ones who are interested can submit their suggestions and give feedback for improvement of this project. Although Gazorp is free to use, but to monetize the project, they are issuing transactions to a particular Bitcoin wallet. In return to donation, they guarantee more upgraded and developed builder to help out attackers in every way possible.
Seems like hackers don’t need other ways to spread malware. They just have to reach Gazorp and create a binary and they’re all set to infect thousands of system, in a just few minutes. This is definitely a topic of concern for cyber security experts and daily Internet users. But, what can one do, instead of taking minimal precautions for their own safety. Feels like a new generation of hacking has been introduced and the world is no more safe.
Must Read : GhostDNS: The New Malware in Town
If you found this helpful, please let us know. You can also drop your feedback in the comment section below.