Sales of AZORult grind to an AZOR-halt

Author of Popular Credential Stealer Announces End of Sales

Key Points

  • In late December, the author of the AZORult stealer publicly stated that he would be ending sales of the malware.
  • AZORult has been advertised on Russian-language cybercrime forums since at least 2016 and has become fairly popular among cybercriminals.
  • Some of the most recent activity by AZORult’s author suggests that the threat actor may be attempting to distance themselves from the stealer and cover their tracks on the cybercriminal underground.
  • Blueliv analysts assess that it is quite likely that cybercriminals formerly drawn to AZORult may begin to favor other stealers in the months ahead.

Background

Security researchers and those fighting the good fight against malware received an early Christmas gift this past holiday season. On December 17, 2018, the author of the infamous AZORult stealer – who operates under the alias “CrydBrox” – posted a startling announcement on a top-tier cybercrime forum. Originally posted in Russian, CrydBrox stated:

All software has its lifetime; for AZORult, the time has come for things to end. With sadness and joy I announce that sales are closed forever.

The announcement sent shock waves through the cybercriminal underground, where news of AZORult’s sunset was shared and reported across a number of Russian-language forums.

AZORult History

CrydBrox has been advertising his AZORult malware on Russian-language cybercrime forums since at least 2016. The malware was priced at $100 USD, and CrydBrox regularly updated and upgraded the capabilities of the stealer. The latest and apparently last version of AZORult – version 3.3 – was released in October 2018. Feedback about AZORult left by individuals claiming to have purchased and used the malware was overwhelmingly positive. A banner ad for AZORult on a Russian-language cybercrime forum.

Figure 1: A banner ad for AZORult on a Russian-language cybercrime forum.

AZORult is designed to harvest and exfiltrate private information and credentials. It has been distributed via exploit kits such as RIG as well as Seamless malvertising campaigns. It looks for saved credentials from a wide range of desktop applications as well as browser data, while also searching for and stealing information such as cryptocurrency wallets, Skype message history, and other sensitive data; this information is then sent to its C2 server. An average control panel can store approximately 12,000 credentials, but larger panels can collect more than a quarter of a million credentials. Leaked copies of earlier AZORult versions contributed to the malware becoming prolific throughout the underground. According to Blueliv research conducted in July 2018, AZORult was among the most active stealer families being observed at the time.

Motivations for Cessation of Sales

While CrydBrox has tried to bow out of the stealer game with the toothless attitude that “all good things come to an end,” the reality is likely more complex. In late 2018 and continuing through the end of the year, CrydBrox made several moves that appear to be done in an attempt to hide aspects of his cybercriminal profile. These moves are highly unusual for a cybercriminal with an established reputation.

There are a variety of possible motives for CrydBrox taking these actions. It may be that the threat actor has had some pressure from law enforcement exerted upon him. Another possibility is that CrydBrox may be temporarily distancing himself from his online profiles while he sets up another business – perhaps even another AZORult-based stealer – under a new persona.

CrydBrox has also described himself on various occasions as “lazy,” and maintaining a sprawling malware empire is certainly a time-consuming task. This fact can be evidenced by the number of accomplished cybercriminals who regularly end up banned from elite cybercrime forums due to what comes down to bad business practices such as not responding quickly to client issues. When considered against the evidence that CrydBrox likely operates alone – due to his use of first-person singular pronouns in his posts – it is indeed plausible that the threat actor simply decided to throw in the towel.

Elsewhere, CrydBrox has indicated that he’s forsaken the typical flashy elements of a life of cybercrime – the houses and cars popularized in the rap songs of Russian-speaking cybercriminals – in place of saving his earnings for a rainy day. This prudence could possibly explain why CrydBrox would make the decision to quit while he’s ahead – if indeed that is what happened.

Current State

On the strength of CrydBrox’s announcement on the top-tier underground forum and the relative cessation of darkweb activity by CrydBrox, Blueliv analysts assess with a moderate degree of confidence that CrydBrox has indeed likely stopped public sales of the stealer. Within Blueliv’s malware dataset, there has been a drop in AZORult detections that corresponds with CrydBrox’s announcement that sales of the stealer have ended. Data from Blueliv’s malware dataset reveals a nearly 33% drop in Azorult detections from November 2018 through January 2019. This data is represented on a 100 point scale, with 100 representing peak detections.

Figure 2: Data from Blueliv’s malware dataset reveals a nearly 33% drop in AZORult detections from November 2018 to January 2019. This data is represented on a 100 point scale, with 100 representing peak detections.

It is too soon to say for sure whether the slump in detections is due purely to the end of sales of the stealer. It is likely that the discontinuation of sales – coupled with other factors such as the Eastern European holiday season, where many cybercriminals step back from their monitors – may have collectively contributed to the decline in detections. While detections are currently down and may continue to decline somewhat in the months ahead, CrydBrox has indicated that previous clients would continue to be supported. Various versions of the stealer have also been leaked and are being shared within the cybercriminal underground, making it possible that AZORult may catch a second wind and come back with a vengeance.

Looking Forward

As time goes on and AZORult does not receive its regular updates and upgrades, the stealer will likely lose popularity among more sophisticated cybercriminals, opening the door for a new class of stealers to receive attention. There are a variety of stealers and malware authors anxious to take the throne left vacant by CrydBrox. The demographic of buyers whose attention they’re trying to catch are those that are likely to be drawn to stealers advertised by threat actors on Russian-language forums. 

For this reason and others, Blueliv analysts assess that it is quite possible that cybercriminals may begin to favor newer stealers such as Vidar, KPOT, or Arkei. Other more veteran stealers with active support, such as LokiPWS and AgentTesla, may also capture some of AZORult’s market. Amongst this instability and uncertainty, only time will tell what lies ahead for CrydBrox, AZORult, and the variety of stealers hoping to take its place.

This blog post was authored by Blueliv Labs Team.


Demo Free Trial Community