ProtonVPN brand abused to spread AZORult Trojan in latest security software scam

Cybercriminals have been sabotaging trusted brands for years

ProtonVPN is the latest vendor in a list of cybersecurity software providers that have had their names abused by threat actors in order to spread malware.

Kaspersky researcher Dmitry Bestuzhev said on Tuesday (February 18) that the AZORult Trojan, a data-stealer first discovered on underground Russian forums in 2016, is now at the center of a campaign abusing the reputation of ProtonVPN, a virtual private network service provider.

The wave of attacks on the ProtonVPN brand began in November 2019 with cybercriminals registering the domain protonvpn[.]store, Bestuzhev said.

Victims who visit the counterfeit website download what they believe to be the legitimate installer for ProtonVPN. Instead, the fake installer deploys AZORult.

The Trojan collects system information and sends this data to a command and control (C2) server operated by the threat actors.

Bestuzhev told The Daily Swig: “This particular campaign runs on malicious banners from advertisement networks. That said, one essential thing to not do is to click on ads, especially when choosing products [that][ we install on our computers.”

Brand awareness

The abuse of ProtonVPN is only one of many vendors that have been used as a springboard to dupe users into downloading malicious software.

Scams like these have been around for years. Pop-ups on websites proclaiming that a PC is infected with a virus is a well-documented technique that sees users installing malicious software that masquerades as legitimate antivirus solutions, for example.

The rogue software can download additional malicious payloads, act as spyware, or disable legitimate antivirus protections.

Originally, fear and a lack of awareness of technology was used to assist in facilitating these scams. Users would be fed ‘Your system is at risk’ messages, frightening those that were less tech-savvy into malicious installs.

As we have become more aware of security and privacy, however, a pivot has taken place, with fraudsters now using trusted security brands as their main attack vector.

VPNs have risen in popularity, with an estimated 17% of desktop, 15% of mobile, and 7% of tablet users accessing a VPN on a monthly basis. ProtonVPN, NordVPN, and VPN Pro have all been subject to such scams as user numbers increase.

Cybersecurity vendors including Microsoft, McAfee, ESET, Kaspersky, and Symantec, among others, have also had their brands stolen by scammers seeking to laden users with spyware, nuisanceware, ransomware, and data-stealing programs.

Users can protect themselves from these scams by ensuring that software is always being downloaded from official sources, Andy Yen, founder and CEO of ProtonVPN, told The Daily Swig.

“Before downloading an app, users should always double-check the website address, the app name, and the app developer to make sure it’s genuine,” Yen said.

Yen added that Kaspersky had informed his company of the AZORult campaign as soon as it was discovered.

“We immediately requested a takedown of the domain to limit the impact of the campaign,” he said.

Bestuzhev added: “If you have your doubts about an ad, compare the results between your search engine, Wikipedia articles and the profile on the social network, like Twitter.

“It's easier to avoid infection instead of rectifying the situation by going hunting for malware on your machine once infected.”

ProtonVPN has previously issued advice to consumers who may fall prey to a fake ProtonVPN service.

YOU MIGHT ALSO LIKE Phishing scammers pose as World Health Organization to exploit coronavirus fears