The infamous AZORult info-stealing trojan is back in a new attack campaign. The attackers are leveraging a fake VPN software called Pirate Chick to distribute the malware.
About Pirate Chick VPN
According to BleepingComputer, the Pirate Chick VPN is distributed via fake Adobe Flash Players and adware bundles. The site looks very similar to other VPN sites and includes a free three months trial period.
Additionally, the executables also look convincing as they are signed using a certificate from a UK company called ATX International Limited. Once the Pirate Chick VPN is launched, it downloads and installs a payload to the %Temp% folder and executes it.
How does it work?
The software fails to run its malicious payload in three different cases:
What happens if all the conditions are met?
If the user passes the above checks, the software will download a file from https[:]//www[.]piratechickvpn[.]com/wohsm[.]txt. This file eventually downloads the executables which also includes the AZORult.