AZORult Malware - Fake ProtonVPN Installer to Attack the Windows

 

ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service Proton Mail.

A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.

AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums. It is also known to act as a downloader for other malware families when used in multi-stage campaigns.

As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.

Fake @ProtonVPN website spreading #azorult

http://protonvpn[.]store

C2 : http://account[.]protonvpn[.]store/panelka/adminka.phphttps://t.co/qw9dN2xyOs

— DrStache (@DrStache_) February 8, 2020

Indicators of Compromise

Filename	MD5 hash
ProtonVPN_win_v1.10.0.exe	cc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe	573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exe	c961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe	2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exe	f21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe	0ae37532a7bbce03e7686eee49441c41
Unknown	974b6559a6b45067b465050e5002214b

Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using HTTrack Software, which is shown below.