Hackers impersonate top VPN to steal cryptocurrency

(Image credit: Shutterstock)

Researchers at Kaspersky have discovered a new malicious campaign which uses a fake version of a popular VPN service's website to spread the Trojan stealer AZORult by tricking users into thinking they are downloading a Windows installer.

AZORult is one of the most common stealers on Russian hacking forums because of its wide range of capabilities. This Trojan poses a serious threat to infected computers as it allows an attacker to collect a wealth of data including browser history, login credentials, cookies, files and folders, cryptowallet files and it can even be used as a loader to download other malware.

As more users have turned to VPNs to protect their privacy online, cybercriminals have begun to abuse the growing popularity of VPNs by impersonating them, as is the case in this AZORult campaign.

In the campaign discovered by Kaspersky researchers, the attackers created a copy of ProtonVPN's website which looks identical to the service's actual site except for the fact that it has a different domain name.

AZORult campaign

Links to the fake VPN website are spread through advertisements via different banner networks which is a practice that is also referred to as malvertising.

When a victim visits the phishing website, they are prompted to download a free VPN installer. However, once a victim downloads the fake VPN installer for Windows, it drops a copy of the AZORult botnet implant. Once the implant is activated, it collects the infected device's environment information and reports it back to a server controlled by the attackers.

The attackers then steal any cryptocurrency stored locally on the device from cryptowallets as well as FTP logins, passwords from FileZilla, email credentials, information from browsers including cookies and credentials from WinSCPm, Pidgin messenger and others software.

After discovering the campaign, Kaspersky immediately informed ProtonVPN and blocked the fake website in its security software.

Founder and CEO of ProtonVPN, Andy Yen told TechRadar Pro how the company is working to limit the impact of the campaign in a statement, saying:

“This underlines the importance of never downloading an app from an unofficial source. Before downloading an app, users should always double check the website address, the app name and the app developer to make sure it’s genuine. In this case it appears the fake app was designed to steal users information, specifically data regarding crypto currencies. Kaspersky blocked the fake website and informed us of the issue as soon as they discovered the malware. We immediately requested a takedown of the domain to limit the impact of the campaign. We have also published a guide on what to do if you accidentally download a fake version of our apps.”

  • Also check out our complete list of the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.