Windows 10 News and info | Forum
May 24, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
 
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
  Print  
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: STOP Ransomware Installing Password Stealing Trojans on Victims  (Read 49 times)
javajolt
Administrator
Hero Member
*****
Offline Offline

Gender: Male
United States United States

Posts: 30037


I Do Windows


WWW Email
« on: March 11, 2019, 12:27:24 PM »
ReplyReply

In addition to encrypting a victim's files, the STOP ransomware family has also started to install the Azorult password-stealing Trojan on victim's computer to steal account credentials, cryptocurrency wallets, desktop files, and more.

The Azorult Trojan is a computer infection that will attempt to steal usernames and passwords stored in browsers, files on a victim's desktop, cryptocurrency wallets, Steam credentials, browser history, Skype message history, and more. This information is then uploaded to a remote server that is under the control of the attacker.

When we first covered the DJVU variant of the STOP Ransomware being distributed by fake software cracks in January, we noted that when the malware was executed it would download various components that are used to perform different tasks on a victim's computer. These tasks include showing a fake Windows Update screen, disabling Windows Defender, and blocking access to security sites by adding entries to Windows's HOSTS file.



When ransomware researcher Michael Gillespie tested some recent variants he noticed that an Any.Run install indicated that one of the files downloaded by the ransomware created traffic that was from an Azorul infection. Gillespie further told BleepingComputer that four different samples all showed network traffic associated with Azorult.

BleepingComputer downloaded and installed a sample of the STOP Promorad Ransomware variant to see if Azorult would be installed.

When we executed the ransomware, it proceeded to download the files listed in the IOCs below and encrypt the computer. In this particular variant, when files are encrypted it will append the .promorad extension to encrypted files and create ransom notes named _readme.txt as shown below.


Encrypted Promorad Files

The Promorad Ransomware variant samples we tested also download a file named 5.exe and executed it. When executed, the program will create network traffic that is identical to known command & control server communications for the Azorult information-stealing Trojan.


Azorult Network Communication

Furthermore, when this file was scanned using VirusTotal, numerous security vendors detect this file as a password-stealing Trojan.

Being a victim of ransomware is bad enough, but to know that your passwords and documents may be stolen as well just adds another layer of issues that victims need to be concerned about.

Victims who have been infected with a STOP Ransomware variant should immediately change the passwords to any online accounts that are used, especially ones that are saved in the browser. Victims should also change passwords in software such as Skype, Steam, Telegram, and FTP Clients. Finally, victims should check any files stored on the Windows desktop for private information that may now be in the hands of the attackers.

STOP Ransomware has become a prolific extension with numerous variants and it is not currently known how long they have been installing Azorult. Therefore, to be safe all victims of STOP should perform the above remediation.

The known list of STOP extensions include:

Quote
.blower

.djvu

.infowait

.promok

.promorad2

.promos

.promoz

.puma

.rumba

.tro


source
Logged



Pages: [1]
  Print  
 
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page March 19, 2019, 02:08:05 AM