Tuesday, October 8, 2024
HomeMalwareHackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the...

Hackers Spreading AZORult Malware As a Fake ProtonVPN Installer To Attack the Windows Computers

Published on

Researchers discovered a new wave of Azorult malware campaign that abusing the protonVPN and dropper the malware payload as a fake ProtonVPN installer to infect the Windows System.

GBHackers reported several incidents involved by the Azorult malware campaign and is one of the well-known malware that often sold in Russian forums for the higher price ($100) since this malware contains a broad range of persistent functionality.

In this current attack scenario, Threat actors created a fake ProtonVPN website which is an exact HTTrack copy of the original ProtonVPN website through which they spreading the malware as an installer package to compromised the Windows users.

- Advertisement - EHA
Fake ProtonVPN website

The campaign initially started in November 2019 and the attacker register the domain under the name of ProtonVPN{.}store and is Registrar used for this campaign is from Russia.

Infection Vectors

Attackers handling several infection vectors to spread this malware and infect the victims as many as they can, but the main infection vectors is through affiliation banners networks also know as Malvertising.

Through the affiliation program and other infection vectors, victims are getting infected once they visit the fake ProtonVPN website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.

PortonVPN installer

After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”

According to Kaspersky research ” In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others. ‘

Indicators of Compromise

FilenameMD5 hash
ProtonVPN_win_v1.10.0.execc2477cf4d596a88b349257cba3ef356
ProtonVPN_win_v1.11.0.exe573ff02981a5c70ae6b2594b45aa7caa
ProtonVPN_win_v1.11.0.exec961a3e3bd646ed0732e867310333978
ProtonVPN_win_v1.11.0.exe2a98e06c3310309c58fb149a8dc7392c
ProtonVPN_win_v1.11.0.exef21c21c2fceac5118ebf088653275b4f
ProtonVPN_win_v1.11.0.exe0ae37532a7bbce03e7686eee49441c41
Unknown974b6559a6b45067b465050e5002214b

Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Hackers Gained Unauthorized Network Access to Casio Networks

Casio Computer Co., Ltd. has confirmed that a third party illegally accessed its network...

Open-Source Scanner Released to Detect CUPS Vulnerability

A new open-source scanner has been released to detect a critical vulnerability in the...

Comcast Cyber Attack Impacts 237,000+ Users Personal Data

Comcast Cable Communications LLC has reported that over 237,000 users' data has been compromised....

American Water Works Cyber Attack Impacts IT Systems

American Water Works Company, Inc., a leading provider of water and wastewater services, announced...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

DCRAt Attacking Users Via HTML Smuggling To Steal Login Credentials

In a new campaign that is aimed at users who speak Russian, the modular...

LummaC2 Stealer Leverages Customized Control Flow Indirection For Execution

The LummaC2 obfuscator employs a novel control flow protection scheme designed specifically for its...

Octo2 Android Malware Attacking To Steal Banking Credentials

The original threat actor behind the Octo malware family has released a new variant,...