AZORult Malware - fake ProtonVPN installer To Attack the Windows
ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service ProtonMail.
A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.
AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums, also known to act as a downloader for other malware families when used in multi-stage campaigns.
As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.
C2 : http://account[.]protonvpn[.]store/panelka/adminka.phphttps://t.co/qw9dN2xyOs
— DrStache (@DrStache_) February 8, 2020
After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”
Indicators of Compromise
Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using HTTrack Software, which is shown below.
This Trojan was previously spotted by researchers as part of large-scale malicious campaigns to spread ransomware, data, and cryptocurrency malware.