Malware-ransomware combo campaign hits North American inboxes

Popular credential-stealing malware AZORult has been paired with the Hermes ransomware to send thousands of emails to computer users in North America, according to new research.
Fake coins with the Monero logo. (Getty)

An updated version of a popular credential-stealing malware variant has been paired with ransomware to send thousands of emails in North America, according to new research.

Within a day of hackers’ releasing an update of the trojan malware known as AZORult to underground forums, a “prolific actor” had coupled it with the Hermes ransomware, according to research from email security company Proofpoint.

The hybrid malware campaign targeted email users with job-related subject lines that came with malicious attachments, Proofpoint said. The company attributed the campaign to a hacking group it dubbed TA516, which has used similar tricks to install banking trojans or a Monero cryptocurrency miner.

The Hermes 2.1 variant used in the attack first emerged in November 2017 and was used in an attack on a Taiwanese bank that has been linked with North Korea. However, there isn’t any evidence to suggest at this point that TA516 is linked to a nation-state.


“It’s a little unusual to see ransomware paired with other payloads,” Patrick Wheeler, director of threat intelligence at Proofpoint, told CyberScoop, likening that combination to “robbing a house and burning it down.”

But ransomware is a logical way of wringing extra money out of an already financially-driven operation. As Wheeler put it, hackers “are trying to follow the money and look for every means possible [to try] to monetize the infected clients.”

There is a tradeoff for attackers that use ransomware in that it tends to be “very noisy,” making itself known to the infected party, Wheeler said. “Once that machine has ransomware on it, everybody knows it’s infected.”

For this hacking group, the lure of making money appears to have trumped any desire to go undetected. And they are updating their malware to increase profits.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products,” Proofpoint said in its blog post.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts