STOP Ransomware installs AZORult trojan onto victims’ systems to steal credentials

• STOP has now started installing AZORult info-stealing trojan onto victims’ systems to steal account credentials, browser history, desktop files, cryptocurrency wallets, and more.
• The files downloaded by the STOP ransomware generated network traffic associated with the AZORult infection.

STOP Ransomware is known for encrypting victims’ files, in addition to this, STOP has now started installing AZORult info-stealing trojan onto victims’ systems to steal account credentials, browser history, desktop files, cryptocurrency wallets, and more.

The collected information is then sent to the server operated by the attackers.

Worth noting

Security researcher Michael Gillespie tested some recent variants of the STOP ransomware and observed that an Any.Run install indicated that one of the files downloaded by the STOP ransomware created network traffic associated with the AZORult infection.

Promorad variant

BleepingComputer team downloaded and installed a sample of Promorad variant of the STOP ransomware to check if AZORult would be installed.

• Upon installing the Promorad variant, it downloaded the files and encrypted the computer.
• The encrypted files were appended with the .promorad extension.
• The ransomware created a ransom note named _readme.txt.
• The Promorad variant also downloaded and executed a file named ‘5.exe’.
• This file, when executed, creates network traffic that is associated with the C&C server communications for the AZORult trojan.

“Furthermore, when this file was scanned using VirusTotal, numerous security vendors detect this file as a password-stealing Trojan,” BleepingComputer reported.

What you should do?

• Researchers request STOP ransomware infected victims to immediately change all the passwords associated with their online accounts.
• Researchers recommend resetting passwords that are saved in browsers.
• They also recommend victims to change passwords in software such as Skype, Steam, Telegram, and FTP Clients.
• Victims should also ensure any files stored on the Windows desktop for private information are secured.