A variation of a trojan by the name of AZORult was recently discovered by Minerva Labs to be using a self-signed certificate (that did not belong to Google) to appear as a legitimate update service signed by Google. When installing a program or running an executable on your computer, usually there will be a box or a little green shield (Windows) somewhere saying that the program is legitimate and has a signed certificate by the company to prove so. In this case AZORult used a real signed certificate to make the malware appear as a legitimate program on people’s machines, however the signer was NOT Google. This trojan’s purpose is to phish and steal as much information from a computer as it can. Some of the things AZORult will look for include: saved passwords (in browsers or otherwise), browser cookies, Skype chat history and files in Skype chat history, files on the desktop of the pc, files with specific extensions on the pc, a list of installed programs, a list of running currently processes, the username, computer name, and operating system type. In order for a person to encounter AZORult, they must first get infected by the first stage of the malware — a delivery service. AZORult is delivered onto one’s computer through another malware such as Seamless, which utilizes iframe exploits to deliver its payload. Once Seamless is on the computer, another payload is dropped called Ramnit. Ramnit once again collects some information from the computer and then finally drops AZORult. AZORult itself isn’t extremely dangerous and can be easily removed using tools provided by Symantec. The purpose of AZORult is to collect information from someone’s computer, and open a gateway for other payloads to be executed. What makes AZORult potentially dangerous is that it can act as a delivery service for other payloads.
The way that Minerva detected the fake certificate being used by the malware was through a report sent in by one of their customers. The customer went to run GoogleUpdate.exe on their computer, and Minerva’s Anti-Evasion Platform prevented the executable from running. Although the program did have a signed certificate, this does not mean that the program is safe.
What makes this variant of AZORult stand out from others commonly found on people’s computers is that not only does it trick people into thinking it’s a legitimate Google program that is signed for, but it also will go and replace the regular GoogleUpdate.exe (located in: C:\Program Files\Google\Update\GoogleUpdate.exe.) with the malicious version. This allows the malware to gain administrative permissions easily and remain on the system with a much lesser chance of being detected. To protect yourself from trojans like so, always be wary of what you are downloading and where you are downloading from and be extra cautious of links. If you receive a suspicious link do some research about the link before clicking on it. Something as simple as clicking on a link could allow an iframe exploit to do something to your computer.
For those interested more in iframe exploits, a new blog will be posted tomorrow explaining exactly what they are, how they work, and how potentially damaging they can be. To read more about the technical workings of AZORult click here.