AZORult Malware - fake ProtonVPN installer To Attack the Windows

ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service Proton Mail.

A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.

AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums. It is also known to act as a downloader for other malware families when used in multi-stage campaigns.

As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.

Indicators of Compromise

Filename MD5 hash
  • ProtonVPN_win_v1.10.0.exe     cc2477cf4d596a88b349257cba3ef356
  • ProtonVPN_win_v1.11.0.exe     573ff02981a5c70ae6b2594b45aa7caa
  • ProtonVPN_win_v1.11.0.exe     c961a3e3bd646ed0732e867310333978
  • ProtonVPN_win_v1.11.0.exe     2a98e06c3310309c58fb149a8dc7392c
  • ProtonVPN_win_v1.11.0.exe     f21c21c2fceac5118ebf088653275b4f
  • ProtonVPN_win_v1.11.0.exe     0ae37532a7bbce03e7686eee49441c41
  • Unknown     974b6559a6b45067b465050e5002214b

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using HTTrack Software, which is shown below.

Researchers previously spotted this Trojan as part of large-scale malicious campaigns to spread ransomware, data, and cryptocurrency malware.

Follow us on TwitterLinkedinFacebook for daily Security updates & Hacking news. Have you got something to say about this content? Let us know by the comment below.

You may like these posts

  1. To insert a code use <i rel="pre">code_here</i>
  2. To insert a quote use <b rel="quote">your_qoute</b>