New AZORult campaign abuses popular VPN service to steal cryptocurrency

New AZORult campaign abuses popular VPN service to steal cryptocurrency

Kaspersky researchers have detected an unusual malicious campaign that uses a phishing copy of a popular VPN service’s website to spread AZORult

Kaspersky researchers have detected an unusual malicious campaign that uses a phishing copy of a popular VPN service’s website to spread AZORult, a Trojan stealer, under the guise of installers for Windows.

The campaign, which kicked off at the end of last November with the registration of a fake website, is currently active and focused on stealing personal information and cryptocurrency from infected users. This shows that cybercriminals are still hunting for cryptocurrency, despite reports that interest in the currency has died down.

Last year, the malware targeted 78,189 users in Africa, with 16,975 users located in South Africa, 8,165 in Kenya and 1,965 in Nigeria. In January, there was a continuation of this dangerous trend, with 759 users hit in South Africa, 128 in Nigeria and 639 in Kenya.

AZORult is one of the most commonly bought and sold stealers on Russian forums due to its wide range of capabilities. This Trojan poses a serious threat to those whose computers may have been infected as it is capable of collecting various data, including browser history, login credentials, cookies, files from folders, cryptowallet files and can also be used as a loader to download other malware.

Links to the domain are spread through advertisements via different banner networks. The victim visits the phishing website and is prompted to download a free VPN installer. Once a victim downloads a fake VPN installer for Windows, it drops a copy of AZORult botnet implant. As soon as the implant is run, it collects the infected device’s environment information and reports it to the server. Finally, the attacker steals cryptocurrency from locally available wallets.

Upon the discovery of the campaign, Kaspersky immediately informed the VPN service in question about the issue and blocked the fake website.

“This campaign is a good example of how vulnerable our personal data is nowadays,” said Dmitry Bestuzhev, Head of GReAT in Latin America.

“In order to protect it, users need to be cautious and be especially careful when surfing online.

“This case also shows why cybersecurity solutions are needed on every device. When it comes to phishing copies of websites, it is very difficult for the user to differentiate between a real and a fake version. Cybercriminals often capitalise on popular brands and this trend is not likely to die down. We strongly recommend using VPN for protection of data exchange on the web, but it is also important to closely study where the VPN software is downloaded from.”

Browse our latest issue

Intelligent CIO Africa

View Magazine Archive