Researchers discovered a new wave of Azorult malware campaign that abusing the protonVPN and dropper the malware payload as a fake ProtonVPN installer to infect the Windows System.
GBHackers reported several incidents involved by the Azorult malware campaign and is one of the well-known malware that often sold in Russian forums for the higher price ($100) since this malware contains a broad range of persistent functionality.
In this current attack scenario, Threat actors created a fake ProtonVPN website which is an exact HTTrack copy of the original ProtonVPN website through which they spreading the malware as an installer package to compromised the Windows users.
The campaign initially started in November 2019 and the attacker register the domain under the name of ProtonVPN{.}store and is Registrar used for this campaign is from Russia.
Attackers handling several infection vectors to spread this malware and infect the victims as many as they can, but the main infection vectors is through affiliation banners networks also know as Malvertising.
Through the affiliation program and other infection vectors, victims are getting infected once they visit the fake ProtonVPN website and downloads a fake ProtonVPN installer for Windows, they receive a copy of the Azorult botnet implant.
After the successful infection, Azorult malware collects the system information and share it to the attacker via command and control server which located in the same ” accounts[.]protonvpn[.]store server.”
According to Kaspersky research ” In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others. ‘
Filename | MD5 hash |
ProtonVPN_win_v1.10.0.exe | cc2477cf4d596a88b349257cba3ef356 |
ProtonVPN_win_v1.11.0.exe | 573ff02981a5c70ae6b2594b45aa7caa |
ProtonVPN_win_v1.11.0.exe | c961a3e3bd646ed0732e867310333978 |
ProtonVPN_win_v1.11.0.exe | 2a98e06c3310309c58fb149a8dc7392c |
ProtonVPN_win_v1.11.0.exe | f21c21c2fceac5118ebf088653275b4f |
ProtonVPN_win_v1.11.0.exe | 0ae37532a7bbce03e7686eee49441c41 |
Unknown | 974b6559a6b45067b465050e5002214b |
Follow us on Twitter, Linkedin, Facebook for Daily cyber security & hacking news updates.
Some router models have identified a security vulnerability that allows attackers to bypass authentication. To exploit this vulnerability, an attacker…
Hackers often target CrushFTP servers as they contain sensitive data and are used for file sharing and storage. This makes…
DDoS attacks are a significant and growing risk that can overpower websites, crash servers, and block out authorized users with…
Hackers have leveraged an old Microsoft Office vulnerability, CVE-2017-8570, to deploy the notorious Cobalt Strike Beacon, targeting systems in Ukraine.…
In a historic move, Microsoft has made the source code for MS-DOS 4.0, one of the most influential operating systems…
A new attack campaign has been discovered to be employed by the FROZEN#SHADOW, which utilized SSLoad malware for its operations…