The xlsm attachment downloads a doc file which downloads an executable that starts the malware infection. VelvetSweatshop used to evade anti viruses.
KELA: The introduction of the AES-256 algorithm in version 80 of Chrome inhibits AZORult’s ability to extract passwords from the browser. The contraction of data on Genesis also confirms this
Upgrade Chrome to version 80 now, you will stop AZORult from stealing passwords. KELA cyber security researchers found out. The introduction of the AES-256 algorithm to hash the passwords stored locally within the browser database, has led to these having a different format than before. This inhibited the ability of the malware to extract them. The news was confirmed by the contraction of the data contained in Genesis, one of the main online stores active in the Dark Web. This, in fact, is specialized in the sale of credentials. Not only username and password, but also a whole series of information on the user’s activity (“fingerprint”), including technical details such as past IP addresses, browser cookies, user-agent strings. The peculiarity of the cybercrime shop was that Genesis customers received a Chrome extension to be used to apply the purchased fingerprint and, in fact, impersonate a user.
The cyber security experts of Italian CERT-PA: The cybercrime shop is specialized in the sale of credentials stolen from browsers. Not only user and password, but entire fingerprints, mainly obtained by AZORult. Attention, however, is not the only malware with these peculiarities
Italian CERT-PA cyber security experts recall that Genesis was very popular with cybercrime exponents for its ability to bypass 2-factor authentication (2FA). Moreover, most of the information for sale in the shop on the Dark Web came precisely from AZORult infections. Research conducted by KELA, in fact, states that 90% of all stolen fingerprints listed had a format of 8-8-8-8-8 (eight alphanumeric characters in five successive blocks), suggesting that they came from a single strain of malware. Chrome’s update blocks this risk, but there are other malicious codes that can steal data from the browser. Not surprisingly, researchers believe Genesis will not close. When cybercriminals start using other tools, they will rekindle their commercial partnerships with the store and provide the store with new data.