Digital attackers bundled installers for a free virtual private network (VPN) and ad block service with backdoors designed to steal victims’ data, researchers observed on Sept. 21, 2020.

VPN Vulnerabilities: Suspicious Files From Malicious Sources

Trend Micro discovered an attack attempt, which occurred when a user downloaded what appeared to be a Windscribe installer from a source other than the VPN provider’s official download center.

This bundle did include a real Windscribe installer. However, it also included a malicious file (lscm.exe) containing the VPN backdoor and an application (win.vbs) for running that file. When opened, the bundled application caused a Windscribe installation screen to pop up on the victim’s machine. This behavior reassured the user that nothing suspicious was going on — at least on the surface. The bundled application invoked win.vbs in the background. Once this was achieved, it ran lscm.exe, a file Trend Micro detected called ‘Trojan.MSIL.BLADABINDI.THIOABO.’

This step caused the file to download its payload from a website. Next, that location directed the user to another page for the purpose of downloading a file called ‘Dracula.jpg.’ Once it had decrypted the file, Trend Micro arrived at the VPN backdoor payload, which its researchers detected as ‘Backdoor.MSIL.BLADABINDI.THA.’ Successful installation of this backdoor enabled its handlers to download, execute and upload files, as well as take screenshots of the victim’s screen.

The payload also gathered a list of antivirus products running on the infected machine and the machine name, operating system and username. It then sent this data to a server under the attackers’ control.

Other Attacks Involving VPN Security and Backdoors

Malicious actors have launched attacks involving both VPN security and backdoors before.

In August 2019, website Dr. Web detected a campaign in which digital criminals had created fake websites for popular software. Their targets included the well-known VPN service NordVPN. Those websites tricked visitors into downloading what they thought were legitimate applications. In reality, they downloaded samples of Win32.Bolik.2 onto victims’ computers. That trojan is designed to steal data, log keystrokes, intercept traffic and perform other malicious functions.

Less than a year later, the ClearSky Research Team revealed it had uncovered an offensive digital operation that it named the Fox Kitten Campaign. Iranian APT groups exploited VPN openings as well as using Remote Desktop Protocol (RDP) services to gain a foothold. In this way, they could reach into the networks of dozens of companies around the world. They then leveraged that access to steal data from their victims.

News of the BLADABINDI campaign described above arrived amid a slow rise in the number of web searches for the term ‘VPN.’ As revealed by Google, those searches peaked last February and March as many organizations around the world transitioned their employees to remote work in order to enforce social distancing.

VPN Security Tips

Given this rise in use of VPNs, organizations need to protect themselves against fake VPN installers. One of the ways they can do this is by crafting their security policies in such a way that prohibits employees from downloading VPNs from suspicious websites. Those policies should also clearly define processes for working with IT to bring on approved hardware/software for VPN security and thereby minimize the risks posed by shadow IT.

At the same time, entities should put safeguards in place that can help to detect malicious actors. To be specific, they can track to make sure no one can move laterally throughout the corporate network. In addition, they can block backdoors through which bad actors could steal data, and use monitoring tools that keep an eye out for suspicious activity on the network and boost VPN security.

More from News

Abuse of Privilege Enabled Long-Term DIB Organization Hack

From November 2021 through January 2022, the Cybersecurity and Infrastructure Security Agency (CISA) responded to an advanced cyberattack on a Defense Industrial Base (DIB) organization’s enterprise network. During that time frame, advanced persistent threat (APT) adversaries used an open-source toolkit called Impacket to breach the environment and further penetrate the organization’s network. Even worse, CISA reported that multiple APT groups may have hacked into the organization’s network. Data breaches such as these are almost always the result of compromised endpoints…

Costa Rica State of Emergency Declared After Ransomware Attacks

In late April, after weeks of major ransomware attacks, Costa Rica declared a state of emergency. Newly-elected President Rodrigo Chaves took this measure, usually reserved to deal with natural disasters, to free up the government to react more decisively to the incident. The Russian-based Conti gang has claimed they launched the attack. Meanwhile, the U.S. Department of State offered a $10 million reward for information that leads to finding anyone holding a key leadership role in the Conti gang. The…

Ransomware-as-a-Service Transforms Gangs Into Businesses

Malware-as-a-Service is getting easier and easier to access, according to a recent threat report. Self-named the ‘Eternity Project’, this cyber threat group offers services from a Tor website and on their Telegram channel. They sell a wide variety of malware in an organized fashion, including stealer, clipper, worm, miner, ransomware and distributed-denial-of-service bot services. This alarms many security professionals. With Eternity, even inexperienced cyber criminals can target victims with a customized threat offering. Eternity sells malware for $90 to $490.…

UK Health System Email Accounts Hijacked to Steal Microsoft Logins

Last summer, I noticed password reset notices in my email account that I didn’t send. I quickly realized that I was the victim of an account takeover. This happens when someone illegally gains access to your account, typically through compromised credentials. I changed my email password right away and learned that my passwords to other accounts had already been changed. To make cleanup even more fun, I found out that the attackers had created new accounts using my credentials. Account…