More details and indicators of compromise (IOCs) including file names and hashes of fake ProtonVPN installers used in this campaign are available within Kaspersky’s report.
ProtonVPN website distributes AZORult Malware to many people.
Then this information will be packed and exfiltrated to the threat actors running this campaign of malvertising that exploits the ProtonVPN service. The AZORult Trojan then proceeds to “to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.” Researchers previously spotted this trojan as part of large-scale malicious campaigns that spread ransomware, data, and cryptocurrency stealing malware.ĪZORult is designed to collect and provide its operators with as much confidential information as possible, from files, passwords, cookies and browser history to cryptocurrency wallets and banking credentials once it infects a targeted computer.ĪZORult malware sample analysis (Kaspersky)Īfter the fake ProtonVPN installer called ProtonVPN win v1.10.0exe is launched and successfully infects the computer of a target, the malware starts collecting system information from the accountsprotonvpnstore, which is sent to the command-and-control (C2) server on the same server as the fake site. ProtonVPN is a Virtual Private Network (VPN) service provider built and controlled by Proton Technologies AG, the Swiss business behind the encrypted end-to-end email service ProtonMail.ĪZORult is an ever-evolving, data-stealing Trojan selling on Russian underground markets for approximately $100, also known as a downloader for other malware families when used in multi-stage campaigns.
This was being used to steal users information. ProtonVPN website distributes AZORult Malware since November 2019 to potential victims in the form of fake ProtonVPN installers, as discovered by Kaspersky security researchers.
0 kommentar(er)
