Subscribe
  • Home
  • /
  • Malware
  • /
  • AZORult campaign targets VPN service to steal crypto-currency

AZORult campaign targets VPN service to steal crypto-currency

Staff Writer
By Staff Writer, ITWeb
Johannesburg, 19 Feb 2020

Researchers from Kaspersky have uncovered an unusual malicious campaign that uses a phishing copy of a popular VPN service’s Web site to spread AZORult, a Trojan stealer that poses as an installer for Windows.

The campaign, which began at the end of November last year with the registration of a fake Web site, is currently active and focused on stealing personal information and crypto-currency from infected users.

According to Kaspersky, this shows that cyber criminals still have crypto-currency in their cross hairs, despite reports that interest in the currency has died down. AZORult is highly active. In 2019 it targeted 78 189 users in Africa, with 16 975 users located in SA, 8 165 in Kenya and 1 965 in Nigeria. January 2020 has already seen the continuation of this dangerous trend, with 759 users hit in South Africa, 128 in Nigeria and 639 in Kenya.

The Trojan is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities, the company says. 

“It poses a serious threat to those whose computers may have been infected as it is capable of collecting various data, including browser history, login credentials, cookies, files from folders, crypto-wallet files and can also be used as a loader to download other malware.”

At a time where privacy is key, VPNs play a crucial role by enabling additional data protection and safe Internet browsing, and yet attackers continually exploit their growing popularity by impersonating them.

This recent campaign sees bad actors create a copy a VPN service’s Web site, which is close enough to the original to defy all but the closest scrutiny, with difference being another domain name.

Links to the domain are spread via advertisements and different banner networks, a practice that is also called ‘malvertising’. The target visits the phishing site and is prompted to download a free VPN installer. Once the fake VPN installer for Windows is downloaded, it drops a copy of AZORult botnet implant.

As soon as the implant is run, it collects the infected device's environment information and reports it to the server. In the last stages, the malefactor steals crypto-currency from locally available wallets such as Electrum, Bitcoin, Etherium, and others, FTP logins, and its passwords from FileZilla, e-mail credentials, information from locally installed browsers (including cookies), credentials from WinSCP, Pidgin messenger and others.

When Kaspersky discovered the campaign, it instantly informed the VPN service in question about the issue and blocked the fake Web site. 

“This campaign is a good example of how vulnerable our personal data is nowadays," says Dmitry Bestuzhev, head of Kaspersky's Global Research and Analysis Team in Latin America. "In order to protect it, users need to be cautious and be especially careful when surfing online. 

"This case also shows why cyber security solutions are needed on every device. When it comes to phishing copies of Web sites, it is very difficult for the user to differentiate between a real and a fake version. Cyber criminals often capitalise on popular brands and this trend is not likely to die down. We strongly recommend using VPN for protection of data exchange on the Web, but it is also important to closely study where the VPN software is downloaded from.”

Kaspersky detects this threat as HEUR:Trojan-PSW.Win32.Azorult.gen.

To lower the risk of infection with Trojan stealers such as AZORult, Kaspersky recommends users to check if the Web site is genuine before starting downloads. It says crypto-currencies should be stored in cold wallets (ones that are not connected to the Internet) to minimise risks of funds being stolen, and urges users to keep passwords and other personal information, including a wallet’s private key, in a password manager.

Share