Hackers Use VPN Installers

The consumer VPN market has seen explosive growth in the last few years due to the increasing popularity of VPN technologies. 

Users can keep their internet traffic private and anonymous with these ubiquitous utilities while avoiding restrictions or censorship on their usage of the internet.

A malware campaign that began in May 2022 involved the use of tainted VPN installers to deliver EyeSpy, a piece of surveillanceware that conducts a wide range of surveillance activities.

Technical Analysis of the Malware

It was offered for sale in November of 2021 at prices ranging from $99 to $200 depending on where you looked. A batch of processes that were observed to follow the same pattern both in the names and in the execution of the processes, were noticed by Bitdefender experts as they carried out routine analyses of detection performance.

A system name is usually based on the words sys, lib, and win, followed by a word that describes the functionality of the application, such as:-

  • bus
  • crt
  • temp
  • cache
  • init
  • 32.exe

With the help of trojanized installers, it allows attackers to access users of 20Speed VPN, an Iranian VPN service, and spy on them using the components of SecondEye.

Infections are reported to have mostly originated from the Iranian region, though there have also been small detections in the following countries:- 

  • Germany 
  • The U.S.

It is claimed that SecondEye is a commercial monitoring program and it could be used as:-

  • Parental control system 
  • Online watchdog

It was revealed by Blackpoint Cyber that SecondEye’s spyware modules and infrastructure have been used by unknown threat actors for the purpose of storing data and payloads in August 2022, when SecondEye previously surfaced under the radar.

It is unknown what mechanism was used in these incidents to gain access in the first place. Even though the spyware components used in both sets of activities are similar, there is insufficient evidence to link them together.

Network Security Checklist – Download Free E-Book

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.