Spyware found stealing Iranian user data via infected VPN installer
>
Spyware has been discovered stealing data from Iranian users through an infected VPN installer, antivirus provider Bitdefender has revealed.
The company’s joint investigation with cybersecurity firm Blackpoint found that components of Iranian-made EyeSpy malware were injected “via Trojan installers of VPN software (also developed in Iran)”.
Most of the targets were within the borders of the country, only a few victims were found to be stationed in Germany and the US.
This is especially concerning in a country like Iran, where using one of the best VPN services has become more and more a necessity. Whether this is to circumvent strict online censorship, or to maintain anonymity to avoid dangerous government surveillance. Most likely a mix of both.
At the same time, a crackdown on Iranian VPN services could push people to unsafe third-party sites. This makes such a spyware campaign even more dangerous to the privacy and security of Iranians.
Anti-dissident spyware?
“In light of recent events, it is possible that the targets are Iranians who want to access the internet through a VPN to bypass the country’s digital lockdown. Such malicious installers can place spyware on people who pose a threat to the regime .” Bitdefender report (opens in new tab) noted.
EyeSpy, developed by the Iranian company SecondEye, is legitimate monitoring software sold to companies as a way to track the activities of employees who work remotely.
It was observed that the attackers maliciously used components of the legitimate application to infect users’ downloading of Iran-based VPN service 20Speed and spy on their activities.
Once injected into a device, the malware can spy on almost any activity and collect a lot of sensitive data. These include saved passwords, crypto wallet data, documents and images, clipboard contents, and logs of keystrokes.
The components of the malware are scripts that steal sensitive information from the system and upload it to a SecondEye FTP server, Bitdefender explains.
“This can lead to complete account takeovers, identity theft and financial loss. Furthermore, by logging keystrokes, attackers can obtain messages typed by the victim on social media or email, and this information can be used to blackmail the victims.”
The campaign appears to be active since May 2022, with a growing number of attacks following the wave of anti-government protests that began in September.
VPN downloads in Iran skyrocketed after this, peaking at over 3,000% by the end of the month.
A VPN is largely used by Iranian citizens to access restricted apps such as Instagram and WhatsApp. But as the government increasingly charges dissidents with harsh sentences, even up to the death penalty, extra security software is also a necessity to protect sensitive data.
While more and more Iranians download a virtual private network on their devices, the authorities hardly crack down on reliable VPN services.
Many providers are currently blocked in Iran, which means that third-party VPN installers are becoming increasingly popular. According to Iran International (opens in new tab), 20Speed VPN is actually one of the most popular websites where Iranians purchase their VPN subscriptions. More than 100,000 are her active installations Android VPN app.
To combat such malware campaigns, Bitdefender experts recommend “using known VPN solutions downloaded from legitimate sources. Also, a security solution, such as Bitdefender, can protect against information thieves.”