Beware: Fake ProtonVPN Installer leads AZORult Trojan installation

Earlier, AZORult Malware came to a device as a part of a large scale malicious campaigns used to spread ransomware, data and cryptocurrency stealing malware. This is a Trojan virus which is especially designed to collect sensitive information from files, passwords, cookies and browser history, banking credentials, cryptocurrency wallets and so on.

Kaspersky’ researchers detected a new distribution way used for AZORult Malware spread. What they noticed is that a site named protonvpn.store which is used to deliver malicious fake ProtonVPN installers. When this site is used by users for the VPN installation, it leads to an implantation of a copy of the AZORult botnet to their device.

“When the victim visits a counterfeit website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the AZORult botnet implant,”

The attackers created an identical copy of the official ProtonVPN website by using open-source HTTrack web crawler and website downloader utility. After when the fake executable named ProtonVPN_win_v1.10.0.exe is launched successfully on the infected device, the malware becomes able to collect the system information and deliver it to command and control server located on the same server as a site name accounts.protonvpn.store.

Thereafter the Trojan proceeds to “to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.”

This is not the first time when a fake VPN sites are used to push malware payload. Earlier a perfect clone of NordVPN service official website was used for delivering a banking Trojan, a fake VPN Pirate Chick VPN was used for AZORult password stealing Trojan, and a fake VPN was also used for Vidar and cryptBot password stealing Trojan.