INSUBCONTINENT EXCLUSIVE:
Researchers at Kaspersky have discovered a new malicious campaign which uses a fake version of a popular VPN service's website to spread the
Trojan stealer AZORult by tricking users into thinking they are downloading a Windows installer.AZORult is one of the most common stealers
on Russian hacking forums because of its wide range of capabilities
This Trojan poses a serious threat to infected computers as it allows an attacker to collect a wealth of data including browser history,
login credentials, cookies, files and folders, cryptowallet files and it can even be used as a loader to download other malware.As more
users have turned to VPNs to protect their privacy online, cybercriminals have begun to abuse the growing popularity of VPNs by
impersonating them, as is the case in this AZORult campaign.In the campaign discovered by Kaspersky researchers, the attackers created a
copy of ProtonVPN's website which looks identical to the service's actual site except for the fact that it has a different domain name.Links
to the fake VPN website are spread through advertisements via different banner networks which is a practice that is also referred to as
malvertising.When a victim visits the phishing website, they are prompted to download a free VPN installer
However, once a victim downloads the fake VPN installer for Windows, it drops a copy of the AZORult botnet implant
Once the implant is activated, it collects the infected device's environment information and reports it back to a server controlled by the
attackers.The attackers then steal any cryptocurrency stored locally on the device from cryptowallets as well as FTP logins, passwords from
FileZilla, email credentials, information from browsers including cookies and credentials from WinSCPm, Pidgin messenger and others
software.After discovering the campaign, Kaspersky immediately informed ProtonVPN and blocked the fake website in its security
software.Founder and CEO of ProtonVPN, Andy Yen told TheIndianSubcontinent Pro how the company is working to limit the impact of the
In this case it appears the fake app was designed to steal users information, specifically data regarding crypto currencies
Kaspersky blocked the fake website and informed us of the issue as soon as they discovered the malware
We immediately requested a takedown of the domain to limit the impact of the campaign
