-->

AZORult Malware - fake ProtonVPN installer To Attack the Windows



ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service ProtonMail.

A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.

 

AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums, also known to act as a downloader for other malware families when used in multi-stage campaigns.

As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.

After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”

Indicators of Compromise

FilenameMD5 hash
ProtonVPN_win_v1.10.0.execc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exec961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exef21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe0ae37532a7bbce03e7686eee49441c41
Unknown974b6559a6b45067b465050e5002214b

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using  HTTrack Software, which is shown below.

This Trojan was previously spotted by researchers as part of large-scale malicious campaigns to spread ransomware, data, and cryptocurrency malware.

 

Follow us on Twitter, Linkedin, Facebook for Daily security updates & penetration testing tutorials. Have something to say about this content? Let me know by comment below.

You may like these posts

Post a comment