Hackers create copies of VPN services with the AZORult trojan to steal user data

Kaspersky's latest investigation reveals that hackers are taking advantage of the popularity of VPN services to attack the most unsuspecting users. Cybercriminals are creating fake virtual private network service pages and installing the AZORult trojan on victims' devices. The malware is able to collect data such as browser history, access credentials, cookies, folder files and cryptocurrency wallet information.

Kaspersky data reveal that Portugal is not among the countries with the highest number of infections caused by this trojan. In all, 1,946 national cases were detected, with the country ranked 40th in the international ranking in January this year. Germany, with 31,188 cases, India, with 21,398, and Vietnam, with 19,398, make up the podium of the countries with more detectors.

According to the cybersecurity company, the AZORult trojan campaign began in late November 2019. Attackers of Russian origin created a replica of the ProtonVPN website with an identical look to the original, but with a different domain name.

Replica of the ProtonVPN page created by the attackers Credits: Kaspersky

Links to the fake website are broadcast via online advertisements, in a practice that is known as malvertising. When installing the fake VPN service, the victim ends up introducing the AZORult trojan into the equipment. The malware then collects information about the infected device and transmits it to the server.

To avoid being infected, Kaspersky recommends not visiting websites or downloading without being sure that the websites are legitimate, or without checking details such as the address format, the spelling of the company name, online comments and domain registration. .

As for cryptocurrency users, the company recommends storing digital coins in cold wallets, that is, wallets that are not connected to the Internet, to reduce the risk of theft. Password security in this area is also important, as credentials must be kept in a private and encrypted repository.