Researchers at Kaspersky have discovered a new malicious campaign which uses a fake version of a popular VPN service’s website to spread the Trojan stealer AZORult by tricking users into thinking they are downloading a Windows installer.
AZORult is one of the most common stealers on Russian hacking forums because of its wide range of capabilities. This Trojan poses a serious threat to infected computers as it allows an attacker to collect a wealth of data including browser history, login credentials, cookies, files and folders, cryptowallet files and it can even be used as a loader to download other malware.
As more users have turned to VPNs to protect their privacy online, cybercriminals have begun to abuse the growing popularity of VPNs by impersonating them, as is the case in this AZORult campaign.
- Major rise in password-stealing malware detected
- China VPN crackdown ‘to control coronavirus message’
- Kaspersky’s new solution will protect your business from consumer drones
In the campaign discovered by Kaspersky researchers, the attackers created a copy of ProtonVPN’s website which looks identical to the service’s actual site except for the fact that it has a different domain name.
Links to the fake VPN website are spread through advertisements via different banner networks which is a practice that is also referred to as malvertising.
When a victim visits the phishing website, they are prompted to download a free VPN installer. However, once a victim downloads the fake VPN installer for Windows, it drops a copy of the AZORult botnet implant. Once the implant is activated, it collects the infected device’s environment information and reports it back to a server controlled by the attackers.
The attackers then steal any cryptocurrency stored locally on the device from cryptowallets as well as FTP logins, passwords from FileZilla, email credentials, information from browsers including cookies and credentials from WinSCPm, Pidgin messenger and others software.
After discovering the campaign, Kaspersky immediately informed ProtonVPN and blocked the fake website in its security software. TechRadar Pro has also contacted ProtonVPN for a statement on the matter.
- Also check out our complete list of the best VPN services