An updated version of AZORult Stealer is being used to distribute Hermes ransomware.
The malware downloader received an update on July 17 and one day later was discovered by Proofpoint researchers leveraging AZORult and targeting North American users. In its most recent campaign, the malware was sent in emails with “employment-related themes,” along with a password-protected malicious attachment using the format, according to an August 20 IBM blog post.
The malicious code is also updated regularly making it especially dangerous as it installs ransomware in addition to stealing user information. The malware is also difficult to detect - even though the protected document itself isn't malicious, after the password is entered, it enables macros which then run the malicious script.
The malware is designed to steal browser histories, detect multiple cryptocurrency wallets and use system proxies to connect. It also includes support for unlimited loader links which will allow malicious actors to specify how the loader works.
Researchers recommended users conduct phishing simulations to boost security awareness among employees to defend against these attacks.