AZORult Malware - Fake ProtonVPN Installer to Attack the Windows
ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service Proton Mail.
A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.
AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums. It is also known to act as a downloader for other malware families when used in multi-stage campaigns.
As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.
Fake @ProtonVPN website spreading #azorulthttp://protonvpn[.]storeC2 : http://account[.]protonvpn[.]store/panelka/adminka.phphttps://t.co/qw9dN2xyOs— DrStache (@DrStache_) February 8, 2020
Indicators of Compromise
Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using HTTrack Software, which is shown below.