Consumer VPN solutions have witnessed explosive growth in the past few years. These ubiquitous utilities help users keep their internet traffic private, surf anonymously, and bypass restrictions or censorship. And, while most of the world takes this technology for granted, users in specific regions – such as the people in Iran – have to try out dozens of apps before they find one that is (still) able to bypass ISP restrictions. And, while some VPNs are fake [here is a guide on how to spot a fake VPN app] or blocked, some others are deliberately laced with malware.
During routine analysis of detection performance, we noticed a batch of processes that respected the same pattern in the process names. These names begin with sys, win or lib followed by a word that describes the functionality, such as bus, crt, temp, cache, init, and end in 32.exe. We later noticed that the .bat files and the downloaded payloads respect the same naming convention. Further investigation revealed the components are part of a monitoring application called SecondEye, developed in Iran and distributed legitimately via the developer’s website. We also found that some spyware components were already described in an article published by Blackpoint. In the article, researchers drew attention to the dangers of legally distributed monitoring software with malicious behavior.
Our own researchers, as well as Blackpoint’s, found the campaigns used components of the SecondEye suite and their infrastructure. However, these components were not delivered through a legitimate SecondEye installer but rather through Trojanized installers of VPN software (also developed in Iran) that dropped the spyware components along with the VPN product.
Attack at a glance
- Bitdefender has discovered a malware campaign that uses components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
- EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.
- The campaign started in May 2022, but detections peaked in August and September. Most of these detections originate from Iran, with a small pool of victims in Germany and the US.
Indicators of Compromise
An up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.