(http://i.postimg.cc/65sxGT0L/spyware.jpg)
In addition to encrypting a victim's files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more.
The Azorult Trojan is a computer infection that will attempt to steal usernames and passwords stored in browsers, files on a victim's desktop, cryptocurrency wallets, Steam credentials, browser history, Skype message history, and more. This information is then uploaded to a remote server that is under the control of the attacker.
When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim's computer. These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows's HOSTS file.
(http://i.postimg.cc/j52jDBZw/fake-update.jpg)
When ransomware researcher Michael Gillespie tested some recent variants he noticed that an Any.Run install indicated that one of the files downloaded by the ransomware created traffic that was from an Azorul infection. Gillespie further told BleepingComputer that four different samples all showed network traffic associated with Azorult.
BleepingComputer downloaded and installed a sample of the STOP Promorad Ransomware variant to see if Azorult would be installed.
When we executed the ransomware, it proceeded to download the files listed in the IOCs below and encrypt the computer. In this particular variant, when files are encrypted it will append the .promorad extension to encrypted files and create ransom notes named _readme.txt as shown below.
(http://i.postimg.cc/4y4j4T5q/encrypted-files.jpg)
Encrypted Promorad Files
The Promorad Ransomware variant samples we tested also download a file named 5.exe and executed it. When executed, the program will create network traffic that is identical to known command & control server communications for the Azorult information-stealing Trojan.
(http://i.postimg.cc/K8hrt5Xv/azorult-communication.jpg)
Azorult Network Communication
Furthermore, when this file was scanned using VirusTotal, numerous security vendors detect this file as a password-stealing Trojan.
Being a victim of ransomware is bad enough, but to know that your passwords and documents may be stolen as well just adds another layer of issues that victims need to be concerned about.
Victims who have been infected with a STOP Ransomware variant should immediately change the passwords to any online accounts that are used, especially ones that are saved in the browser. Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.
STOP Ransomware has become a prolific extension with numerous variants and it is not currently known how long they have been installing Azorult. Therefore, to be safe all victims of STOP should perform the above remediation.
The known list of STOP extensions include:
.blower
.djvu
.infowait
.promok
.promorad2
.promos
.promoz
.puma
.rumba
.tro
source (http://www.bleepingcomputer.com/news/security/stop-ransomware-installing-password-stealing-trojans-on-victims/)