Fake VPN software installs AZORult info stealing trojan

In News

A VPN software named ”Pirate Chick” is being installed by Adware bundles, which connects to a remote server to download and install malicious payloads such the AZORult password-stealing Trojan. Since adware bundles need to look as legitimate as possible, they require offers that they promote to have legitimate web sites with privacy policies and user agreements. Pirate Chick VPN’s website looks like any other VPN site and includes a free three months trial with no credit card required.

Even the executables look real as they are signed using a certificate from a UK company called ATX International Limited. When you execute the installer for the Pirate Chick VPN, it will download and install a payload to the %Temp% folder and execute it. Currently, the payload is process monitor, which could be a temporary filler while they launch another campaign.

When first executed, the installer will combine a series of strings into process names, such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. It will then check your list of running processes and if one of the processes is detected, it will skip the installation of the malware payload. It then connects to https://www.piratechickvpn.com/collectStatistics.php, which returns the country of the visitor based on the IP address. If the user is from Russia, Belaris, Ukraine, or Kazakhstan, it will skip the malicious payload.

If the user passes the above checks, it will download a file from https://www.piratechickvpn.com/wohsm.txt, performs character replacements on its contents, and then base64 decode the string.

This turns the downloaded file into a working executable, which is saved to %Temp%\wohsm.exe and executed. After installing the VPN, the user will be shown a splash screen asking them to signup.

Pirate Chick VPN is being distributed via fake adoble flash players and adware bundles.  In the past, they would install adware and unwanted extensions, but now they are installing miners, ransomware, password-stealing Trojans, and ad clickers. The Pirate Chick VPN is not currently installing the password-stealing Trojan, but does connect back to the site and downloads and runs an obfuscated copy of Procmon.exe.

Comments

You may also read!

Kaspersky in partnership with Area9 Lyceum unveils Kaspersky Adaptive Online Training

Kaspersky has unveiled its new Kaspersky Adaptive Online Training, developed in partnership with Area9 Lyceum. The solution generates a

Read More...

SentinelOne chosen as the official cybersecurity provider to Aston Martin Lagonda

SentinelOne has been announced as the official cybersecurity provider to British luxury car manufacturer, Aston Martin Lagonda, deploying the

Read More...

Tenable ranked number one for device vulnerability management for 2019

Tenable, Inc. today announced that it has been ranked #1 for device vulnerability management for 2019 market share in

Read More...

Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu