Fake Pirate Chick VPN Pushed AZORult Info Stealing Trojan

by chebbi abir

Adware bundles are installing a VPN software called Pirate Chick, which then connects to a remote server to download and install malicious payloads such the AZORult password-stealing Trojan.

As adware bundles need to look as legal as possible, they require offers that they promote to have legitimate web sites with privacy policies and user agreements.

Such is the case with the Pirate Chick VPN, whose web site looks like any other VPN site and includes a free three months trial with no credit card required.

Pirate Chick Website
Pirate Chick Website

Even the executables are convincing as they are signed using a certificate from a UK company called ATX International Limited. This is becoming more normal, though, as we are finding most signed malware to be associated with UK businesses.

Signed Executable
Signed Executable

MalwareHunter, who discovered and shared this Pirate Chick with me, and I analyzed this sample and we both came to the same conclusion. This is a Trojan that pretends to be a legitimate VPN software, but in the background downloads and installs a malware payload on a victim.

A hidden malicious payload

When you execute the installer for the Pirate Chick VPN, it will download and install a payload to the %Temp% folder and execute it. In the past this payload was the AZORult password-stealing Trojan as we will explain later. Currently, the payload is process monitor, which could be a temporary filler while they launch another campaign.

When first executed, the installer will combine a series of strings into process names, such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker. It will then check your list of running processes and if one of the processes is detected, it will skip the installation of the malware payload.

Process Checking Strings
Process Checking Strings

It then connect to https://www.piratechickvpn.com/collectStatistics.php, which returns the country of the visitor based on the IP address. If the user is from Russia, Belaris, Ukraine, or Kazakhstan, it will skip the malicious payload.

Check if you are from Russian speaking countries
Check if you are from Russian speaking countries

Next, it checks if the user is running under Vmware, VirtualBox, or HyperV. If so, it once again skips the malicious payload.

If the user passes the above checks, it will download a file from https://www.piratechickvpn.com/wohsm.txt, performs character replacements on its contents, and then base64 decode the string.

This turns the downloaded file into a working executable, which is saved to %Temp%\wohsm.exe and executed. As previously stated, this executable is currently the Sysinternals Process Monitor tool, but was previously AZORult.

Replace characters in downloaded file
Replace characters in downloaded file and executes it

Finally, the main installer for the Pirate Chick VPN is shown.

Pirate Chick Install
Pirate Chick Install

After installing the VPN, the user will be shown a splash screen asking them to signup.

Pirate Chick VPN Signup
Pirate Chick VPN Signup

Currently, this signup screen is broken, but shows how the Trojan was pretending to be a VPN program, while install a malicious payload.

Distributed through adware bundles

Based on a Any.Run session, we can see that Pirate Chick VPN is being distributed via fake Adobe Flash Players and adware bundles.

Adware bundles, especially the ones out of Russia, are increasingly becoming more aggressive in the types of “offers” that they are installing on victim’s machines.

In the past, they would install adware and unwanted extensions, but now they are installing miners, ransomware, password-stealing Trojans, and ad clickers.

In this particular case, the installer pretended to be a Flash Player installer, as can be seen from the icon below, and was most likely advertised as a Flash Player upgrade.

Fake Flash Player Upgrade
Fake Flash Player Upgrade

As you can see from the Any.Run process graph, piratechickvpnsetup.exe installs the vpnclientupdate.exe, which is AZORult.

Any.Run Graph showing AZORult infection
Any.Run Graph showing AZORult infection

The Pirate Chick VPN is not currently installing the password-stealing Trojan, but does connect back to the site and downloads and runs an obfuscated copy of Procmon.exe.

They could just easily, though, switch it out for any malware they wish to install.

 

To read the original article:

https://www.bleepingcomputer.com/news/security/fake-pirate-chick-vpn-pushed-azorult-info-stealing-trojan/

Top

Interdit de copier  ce contenu