AzurOr

ProtonVPN website distributes AZORult Malware since November 2019 to potential victims in the form of fake ProtonVPN installers, as discovered by Kaspersky security researchers. This was being used to steal users information.

ProtonVPN is a Virtual Private Network (VPN) service provider built and controlled by Proton Technologies AG, the Swiss business behind the encrypted end-to-end email service ProtonMail.

AZORult is an ever-evolving, data-stealing Trojan selling on Russian underground markets for approximately $100, also known as a downloader for other malware families when used in multi-stage campaigns.

Researchers previously spotted this trojan as part of large-scale malicious campaigns that spread ransomware, data, and cryptocurrency stealing malware.

AZORult is designed to collect and provide its operators with as much confidential information as possible, from files, passwords, cookies and browser history to cryptocurrency wallets and banking credentials once it infects a targeted computer.

Fake ProtonVPN website

Fake ProtonVPN website (Kaspersky)

Delivery through fake ProtonVPN site

As discovered by Kaspersky’s researchers, protonvpn[.]store, the website used to deliver the malicious fake ProtonVPN installers (also spotted by DrStache), was registered in November 2019 through a Russian registrar.

That is when this campaign also began to deliver AZORult malware payloads using malvertising network association banner as one of the initial vectors of the infection.

“When the victim visits a counterfeit website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the AZORult botnet implant,” Kaspersky threat researcher Dmitry Bestuzhev explains.

Operators of the campaign have made an identical copy of the official ProtonVPN website with the help of the HTTrack open-source web crawler and downloader utility.

Azorult malware analysis

AZORult malware sample analysis (Kaspersky)

After the fake ProtonVPN installer called ProtonVPN win v1.10.0[.]exe is launched and successfully infects the computer of a target, the malware starts collecting system information from the accounts[.]protonvpn[.]store, which is sent to the command-and-control (C2) server on the same server as the fake site.

The AZORult Trojan then proceeds to “to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.”

Then this information will be packed and exfiltrated to the threat actors running this campaign of malvertising that exploits the ProtonVPN service. ProtonVPN website distributes AZORult Malware to many people.

More details and indicators of compromise (IOCs) including file names and hashes of fake ProtonVPN installers used in this campaign are available within Kaspersky’s report.

Previous fake site encounters

This is not the first time attackers have used fake VPN sites to push malware payloads on unsuspecting victims, with an almost perfect clone of the NordVPN VPN service official website being used as a delivery platform for a banking Trojan.

A fake VPN named ‘Pirate Chick VPN’ was used to infect victims with the AZORult password-stealing Trojan last year after the initial installation.

Check out our 2ND Generation Antivirus Service to see how we can help you stay protected!