Fake VPN software installs AZORult info stealing trojan

In News

A VPN software named ”Pirate Chick” is being installed by Adware bundles, which connects to a remote server to download and install malicious payloads such the AZORult password-stealing Trojan. Since adware bundles need to look as legitimate as possible, they require offers that they promote to have legitimate web sites with privacy policies and user agreements. Pirate Chick VPN’s website looks like any other VPN site and includes a free three months trial with no credit card required.

Even the executables look real as they are signed using a certificate from a UK company called ATX International Limited. When you execute the installer for the Pirate Chick VPN, it will download and install a payload to the %Temp% folder and execute it. Currently, the payload is process monitor, which could be a temporary filler while they launch another campaign.

When first executed, the installer will combine a series of strings into process names, such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. It will then check your list of running processes and if one of the processes is detected, it will skip the installation of the malware payload. It then connects to https://www.piratechickvpn.com/collectStatistics.php, which returns the country of the visitor based on the IP address. If the user is from Russia, Belaris, Ukraine, or Kazakhstan, it will skip the malicious payload.

If the user passes the above checks, it will download a file from https://www.piratechickvpn.com/wohsm.txt, performs character replacements on its contents, and then base64 decode the string.

This turns the downloaded file into a working executable, which is saved to %Temp%\wohsm.exe and executed. After installing the VPN, the user will be shown a splash screen asking them to signup.

Pirate Chick VPN is being distributed via fake adoble flash players and adware bundles.  In the past, they would install adware and unwanted extensions, but now they are installing miners, ransomware, password-stealing Trojans, and ad clickers. The Pirate Chick VPN is not currently installing the password-stealing Trojan, but does connect back to the site and downloads and runs an obfuscated copy of Procmon.exe.


You may also read!

du acknowledged as the Best MSSP in the Middle East

du, from Emirates Integrated Telecommunications Company (EITC), presented the Managed Security Service Provider, “Visionary of the Year” Award by


Forcepoint recognizes its partners in the region

Leading cybersecurity firm, Forcepoint recognized its key channel partner during its partner event held recently in Dubai, which was


Tenable research discovers download hijack vulnerability in Slack

Tenable Inc, the Cyber Exposure company, announced that its research team has discovered a vulnerability in the Slack Desktop


Join Our Newsletter!

Love SecurityMEA? We love to tell you about our new stuff. Subscribe to newsletter!

Mobile Sliding Menu