Fake VPN software called Pirate Chick leveraged to push AZORult info stealing trojan

• The Pirate Chick VPN is distributed via fake Adobe Flash Players and adware bundles.
• The site looks very similar to other VPN sites and includes a free three months trial period.

The infamous AZORult info-stealing trojan is back in a new attack campaign. The attackers are leveraging a fake VPN software called Pirate Chick to distribute the malware.

About Pirate Chick VPN

According to BleepingComputer, the Pirate Chick VPN is distributed via fake Adobe Flash Players and adware bundles. The site looks very similar to other VPN sites and includes a free three months trial period.

Additionally, the executables also look convincing as they are signed using a certificate from a UK company called ATX International Limited. Once the Pirate Chick VPN is launched, it downloads and installs a payload to the %Temp% folder and executes it.

How does it work?

The software fails to run its malicious payload in three different cases:

• If the system is running any of these processes such as ImmunityDebugger, Fiddler, Wireshark, Regshot, and ProcessHacker.
• If the user is from Russia, Belaris, Ukraine or Kazakhstan. For this, the software connects to https[:]//www[.]piratechickvpn[.]com/collectStatistics[.]php, which in turn returns the location of the IP address.
• If the user is running under Vmware, VirtualBox, or HyperV.

What happens if all the conditions are met?

If the user passes the above checks, the software will download a file from https[:]//www[.]piratechickvpn[.]com/wohsm[.]txt. This file eventually downloads the executables which also includes the AZORult.