Malware-ransomware combo campaign hits North American inboxes

An updated version of a popular credential-stealing malware variant has been paired with ransomware to send thousands of emails in North America, according to new research.

Within a day of hackers releasing an update of the trojan malware known as AZORult to underground forums, a “prolific actor” had coupled it with the Hermes ransomware, according to research from email security company Proofpoint.

The hybrid malware campaign targeted email users with job-related subject lines that came with malicious attachments, Proofpoint said. The company attributed the campaign to a hacking group it dubbed TA516, which has used similar tricks to install banking trojans or a Monero cryptocurrency miner.

The Hermes 2.1 variant used in the attack first emerged in November 2017 and was used in an attack on a Taiwanese bank that has been linked with North Korea. However, there isn’t any evidence to suggest at this point that TA516 is linked to a nation-state.

“It’s a little unusual to see ransomware paired with other payloads,” Patrick Wheeler, director of threat intelligence at Proofpoint, told CyberScoop, likening that combination to “robbing a house and burning it down.”

But ransomware is a logical way of wringing extra money out of an already financially-driven operation. As Wheeler put it, hackers “are trying to follow the money and look for every means possible [to try] to monetize the infected clients.”

There is a tradeoff for attackers that use ransomware in that it tends to be “very noisy,” making itself known to the infected party, Wheeler said. “Once that machine has ransomware on it, everybody knows it’s infected.”

For this hacking group, the lure of making money appears to have trumped any desire to go undetected. And they are updating their malware to increase profits.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products,” Proofpoint said in its blog post.