Security researchers observed samples of the AZORult trojan disguising themselves as fake ProtonVPN installers for distribution.

Back in November 2019, malicious actors launched this attack campaign by registering the domain “protonvpn[.]store” with a registrar based in Russia.

One iteration of the campaign used malvertising as its initial infection vector. Upon visiting a malicious website and downloading a fake ProtonVPN installer for Windows, a victim received a copy of AZORult.

This wasn’t the first time that the malware family made headlines in recent years. Back in December 2018, for instance, digital criminals launched a new sextortion campaign that attempted to infect users’ computers with AZORult which, in turn, installed a version of GandCrab ransomware. It was a few months later when researchers spotted a variant of the STOP ransomware family downloading the AZORult infostealer onto victim’s machines as part of its infection process.

In this latest attack, AZORult collected the infected machine’s environment data and sent it to its command-and-control (C&C) server located at accounts[.]protonvpn[.]store. The malware then set to work stealing a user’s information of interest. As detailed by Kaspersky Lab in its analysis of the attack:

In their greed, the threat actors have designed the malware to steal cryptocurrency from locally available wallets (Electrum, Bitcoin, Etherium, etc.), FTP logins and passwords from FileZilla, email credentials, information from locally installed browsers (including cookies), credentials for WinSCP, Pidgin messenger and others.

This attack highlights the need for organizations to defend themselves against a malware campaign. One of the ways they can do this is by investing in a solution that can deliver detailed reports on relevant system changes. This tool should also examine file behavior in a quartined environment for the purpose of protecting their systems.

Learn how Tripwire File Analyzer can help protect your organization against an AZORult attack.