Kaspersky researchers have detected an unusual malicious campaign that uses phishing to mimic a popular VPN service. This helps spread AZORult, a Trojan stealer, under the guise of installers for Windows. The campaign, which kicked off at the end of November 2019 with the registration of a fake website, is currently active and focused on stealing personal information and cryptocurrency from infected users. This shows that cybercriminals are still hunting for cryptocurrency, despite reports that interest in the currency has died down. AZORult is highly active: in 2019 this malware targeted 78,189 users in Africa, with 16,975 users located in South Africa, 8,165 in Kenya and 1,965 in Nigeria. January 2020 has already seen the continuation of this dangerous trend, with 759 users hit in South Africa, 128 in Nigeria, and 639 in Kenya.
AZORult is one of the most commonly bought and sold stealers on Russian forums, due to its wide range of capabilities. This Trojan poses a serious threat to those whose computers may have been infected as it is capable of collecting various data, including browser history, login credentials, cookies, files from folders, cryptowallet files, and can also be used as a loader to download other malware.
In a world where privacy is heavily fought for, VPN services play an important role by enabling additional data protection and safe internet browsing. Yet cybercriminals try to abuse the growing popularity of VPNs by impersonating them, as is the case in this AZORult campaign. In the most recent campaign, the attackers created a copy of a VPN service’s website, which looks exactly the same as the original with the only exception being a different domain name.
Links to the domain are spread through advertisements via different banner networks, a practice that is also called ‘malvertizing’. The victim visits the phishing website and is prompted to download a free VPN installer. Once a victim downloads a fake VPN installer for Windows, it drops a copy of AZORult botnet implant. As soon as the implant is run, it collects the infected device’s environment information and reports it to the server. Finally, the attacker steals cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, and others), FTP logins, and its passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.
Upon the discovery of the campaign, Kaspersky immediately informed the VPN service in question about the issue and blocked the fake website.
“This campaign is a good example of how vulnerable our personal data is nowadays”, says Dmitry Bestuzhev, head of Kaspersky’s Global Research and Analysis Team (GReAT) in Latin America in Latin America. “In order to protect it, users need to be cautious and be especially careful when surfing online. This case also shows why cybersecurity solutions are needed on every device. When it comes to phishing copies of websites, it is very difficult for the user to differentiate between a real and a fake version. Cybercriminals often capitalise on popular brands and this trend is not likely to die down. We strongly recommend using a VPN for protection of data exchange on the web, but it is also important to closely study where the VPN software is downloaded from.”
Kaspersky detects this threat as HEUR:Trojan-PSW.Win32.Azorult.gen
Read more about this AZORult campaign on Securelist.com.