The infamous AZORult trojan is using a fake ProtonVPN installer to dupe victims into installing malicious software
AZORult malware specialized in social engineering attacks. Researchers at Kaspersky Labs reported that a malvertising campaign redirects traffic to a spoofed ProtonVPN website that spreads the infamous malware.
VPNs or Virtual Private Networks, have risen in popularity, with roughly 17% of desktop, 15% of mobile, and 7% of tablet users employing the use of a VPN on a monthly basis, according to the website”TheBestVPN.com”. ProtonVPN, NordVPN, and VPN Pro have all been subject to such scams similar to AZORult as user numbers have increased.
The AZORult malvertising attack began in November 2019, when the attackers listed the “proton[.]store” website on a Russian-based register. Upon visiting the malicious website, which bears a resemblance to the original ProtonVPN website, the unsuspecting user is lured into downloading a fake ProtonVPN installer for Windows. Instead of getting the VPN they want, they receive a copy of the malware to download, and the fake software infects the victim’s computer.
Researchers explain that upon execution, the malware collects environmental information about the infected device and uploads the gathered data to a command and control server that is located at accounts[.]protonvpn[.]store. The malicious actors will then proceed to steal other information such as email credentials, usernames, passwords, and even cryptocurrency (Bitcoin, Etherium, Electrum, etc.) directly from the users’ local wallets. Additionally, the malware will also obtain data from locally installed browsers, including cookies and browsing history.
AZORult is Using COVID-19 to Spread its “Infection“
In addition to the recent malvertising campaign, AZORult malware has also been spread recently via phony Coronavirus maps. Hackers have created multiple websites related to coronavirus information to prompt users to download an application that is purported to give updates on the pandemic. The website displays a map that looks genuine, that displays heat zones related to the COVID-19 spread. It then generates a malicious binary file and installs it on victims’ devices.
According to Shai Alfasi, a security researcher at Reason Labs,”As the coronavirus continues to spread and more apps and technologies are developed to monitor it, we will likely be seeing an increase in corona malware and corona malware variants well into the foreseeable future.”
AZORult: A Menace Born in 2016
AZORult has been active since 2016 and is one of the best-selling malware strains on Russian forums. Buyers seem to like AZORult because of its numerous functions and its proven high performance. Not only does the malware harvest sensitive information, but it can also act as a dropper for other malware. Also, it guarantees its owners anonymity by its tricky use of .bit domains. This more than justifies its price tag of $100 U.S. dollars.
Although the malware continued to sell well, CrydBrox – the main distributor of AZORult – stopped selling it at the end of 2018. CrydBrox explained that “All software has a shelf life. It’s run out for AZORult. It is with joy and sadness that I announce that sales are closed forever.”
And now, almost two years later, a new version of the malware is making a comeback with new tricks as well as rewritten and an improved code.