-->

AZORult Malware - Fake ProtonVPN Installer to Attack the Windows

ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the ...


 

ProtonVPN is a security-focused open-source virtual private network (VPN) service provider developed and operated by Proton Technologies AG, the Swiss company behind the end-to-end encrypted email service Proton Mail.

A fake ProtonVPN website was used since November 2019 to deliver the AZORult information-stealing malware to potential victims in the form of fake ProtonVPN installers as discovered by security researchers at Kaspersky.

AZORult is an ever-evolving data-stealing Trojan that sells roughly $100 on Russian underground forums. It is also known to act as a downloader for other malware families when used in multi-stage campaigns.


As Kaspersky’s researchers have discovered, protonvpn[.]store, a website used to deliver malicious fake ProtonVPN installers (also recognized as DrStache), was registered via a Russian registrar in November 2019.

Indicators of Compromise

Filename

MD5 hash

ProtonVPN_win_v1.10.0.exe

cc2477cf4d596a88b349257cba3ef356

ProtonVPN_win_v1.11.0.exe

573ff02981a5c70ae6b2594b45aa7caa

ProtonVPN_win_v1.11.0.exe

c961a3e3bd646ed0732e867310333978

ProtonVPN_win_v1.11.0.exe

2a98e06c3310309c58fb149a8dc7392c

ProtonVPN_win_v1.11.0.exe

f21c21c2fceac5118ebf088653275b4f

ProtonVPN_win_v1.11.0.exe

0ae37532a7bbce03e7686eee49441c41

Unknown

974b6559a6b45067b465050e5002214b



Kaspersky products detect this threat as HEUR:Trojan-PSW.Win32.Azorult.gen. Hackers cloned the official website of protonvpn using HTTrack Software, which is shown below.

You may like these posts

  1. To insert a code use <i rel="pre">code_here</i>
  2. To insert a quote use <b rel="quote">your_qoute</b>
  3. To insert a picture use <i rel="image">url_image_here</i>