2 min read

EyeSpy - Iranian Spyware Delivered in VPN Installers

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
EyeSpy - Iranian Spyware Delivered in VPN Installers

Consumer VPN solutions have witnessed explosive growth in the past few years. These ubiquitous utilities help users keep their internet traffic private, surf anonymously, and bypass restrictions or censorship. And, while most of the world takes this technology for granted,  users in specific regions - such as the people in Iran - have to try out dozens of apps before they find one that is (still) able to bypass ISP restrictions. And, while some VPNs are fake [here is a guide on how to spot a fake VPN app] or blocked, some others are deliberately laced with malware.

Context

During routine analysis of detection performance, we noticed a batch of processes that respected the same pattern in the process names. These names begin with sys, win or lib followed by a word that describes the functionality, such as bus, crt, temp, cache, init, and end in 32.exe. We later noticed that the .bat files and the downloaded payloads respect the same naming convention. Further investigation revealed the components are part of a monitoring application called SecondEye, developed in Iran and distributed legitimately via the developer’s website. We also found that some spyware components were already described in an article published by Blackpoint. In the article, researchers drew attention to the dangers of legally distributed monitoring software with malicious behavior.

Our own researchers, as well as Blackpoint’s, found the campaigns used components of the SecondEye suite and their infrastructure. However, these components were not delivered through a legitimate SecondEye installer but rather through Trojanized installers of VPN software (also developed in Iran) that dropped the spyware components along with the VPN product.

Attack at a glance

  • Bitdefender has discovered a malware campaign that uses components of SecondEye - a legitimate monitoring application - to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
  • EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.
  • The campaign started in May 2022, but detections peaked in August and September. Most of these detections originate from Iran, with a small pool of victims in Germany and the US.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in the whitepaper below.

Download the whitepaper

tags


Author



Right now

Top posts

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

December 06, 2022

1 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

October 05, 2022

1 min read
A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

EyeSpy - Iranian Spyware Delivered in VPN Installers EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELESBogdan BOTEZATU
2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Bitdefender

January 05, 2023

1 min read
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPORVictor VRABIE
1 min read