Since May 2022, Bitdefender cybersecurity researchers have discovered that infected VPN installers have been used to deliver EyeSpy spyware.
The Bitdefender report states that the malicious campaign uses “components of the legitimate monitoring app SecondEye to spy on users of Iran’s 20Speed VPN service using trojanized installers. Most infections occur in Iran, in Germany and the United States - to a lesser extent.
SecondEye is a commercial activity monitoring software that can work as a parental control system. SecondEye can:
- take screenshots;
- record sound from a microphone;
- register keystrokes;
- collect files and saved passwords from web browsers;
- remotely control a computer to execute arbitrary commands.
The chain of attacks begins when an unsuspecting user downloads a malicious executable from the 20Speed VPN website, indicating two likely scenarios: either the site's servers have been hacked to host spyware, or it is a deliberate attempt to spy on the Iranians who are downloading the VPN to bypass internet outages in the country.
Once installed, the legitimate VPN service starts up and silently executes malicious commands in the background to establish persistence on the system and download the next step payload to collect personal data from the host.
Bitdefender researchers have concluded that EyeSpy can completely compromise online privacy through keylogging and theft of sensitive information such as documents, images, crypto wallets and passwords. This can lead to total account takeover, identity theft, and financial loss.