A VPN software named ”Pirate Chick” is being installed by Adware bundles, which connects to a remote server to download and install malicious payloads such the AZORult password-stealing Trojan. Since adware bundles need to look as legitimate as possible, they require offers that they promote to have legitimate web sites with privacy policies and user agreements. Pirate Chick VPN’s website looks like any other VPN site and includes a free three months trial with no credit card required.
Even the executables look real as they are signed using a certificate from a UK company called ATX International Limited. When you execute the installer for the Pirate Chick VPN, it will download and install a payload to the %Temp% folder and execute it. Currently, the payload is process monitor, which could be a temporary filler while they launch another campaign.
When first executed, the installer will combine a series of strings into process names, such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. It will then check your list of running processes and if one of the processes is detected, it will skip the installation of the malware payload. It then connects to https://www.piratechickvpn.com/collectStatistics.php, which returns the country of the visitor based on the IP address. If the user is from Russia, Belaris, Ukraine, or Kazakhstan, it will skip the malicious payload.
If the user passes the above checks, it will download a file from https://www.piratechickvpn.com/wohsm.txt, performs character replacements on its contents, and then base64 decode the string.
This turns the downloaded file into a working executable, which is saved to %Temp%\wohsm.exe and executed. After installing the VPN, the user will be shown a splash screen asking them to signup.
Pirate Chick VPN is being distributed via fake adoble flash players and adware bundles. In the past, they would install adware and unwanted extensions, but now they are installing miners, ransomware, password-stealing Trojans, and ad clickers. The Pirate Chick VPN is not currently installing the password-stealing Trojan, but does connect back to the site and downloads and runs an obfuscated copy of Procmon.exe.