Bitdefender discovered that the 20Speed VPN installer contained components of an Iranian monitoring application known as SecondEye. When a victim installs the VPN, they unknowingly set up a snooping tool researchers have dubbed “EyeSpy” on their device. Researchers speculate the campaign may target Iranians trying to bypass the country’s stringent internet blockades. While most of the trojanized VPNs originated in Iran, a small number of victims were reported in Germany and the U.S. Bitdefender added it is unclear if SecondEye’s proprietor has any involvement in the VPN campaign. “While less likely, we can’t rule out another possibility — that a malicious actor hijacked the servers of 20Speed VPN and SecondEye to deploy the spyware,” Bitdefender’s whitepaper stated.
Attack Uses ‘Legal Malware’ to Infect Victims
SecondEye is a legitimate product marketed as a staff-monitoring and parental control tool. However, SecondEye has acknowledged its software can be used for more nefarious purposes. Researchers at Blackpoint uncovered previous campaigns where threat actors used this “legal malware.” In the current campaign, Bitdefender’s researchers found that the SecondEye component first arrives on a victim’s device through an installer called “20SPEED-VPN-v9.2.exe.” The researchers said they found SecondEye files on older versions of the VPN installer as well. “The VPN service seems to be a paid subscription, but we could download an installer from the website without payment information, and we could validate that it also contains the spyware components,” they added.
Attackers can Pry Away Sensitive Information
The malware has wide-ranging and comprehensive capabilities. It can give attackers access to stored information, such as passwords, crypto-wallet data, images, and documents. Furthermore, the spyware logs key presses, allowing attackers to potentially obtain typed messages or e-mails. Attackers can use all the stolen data to take over victims’ accounts, engage in identity theft, blackmail, and even cause financial losses. Unfortunately, the campaign appears to be on the rise, with the number of victims growing in recent months. “We can see a growing number of detections in the past six months. As people in Iran try to obtain access to the internet via VPN, more and more of them find the malicious installer and install EyeSpy, exposing them to the risk of losing privacy,” Bitdefender stated. We recommend checking out Bitdefender’s whitepaper for further technical details regarding the campaign.