Spyware has been discovered stealing data from Iranian users via an infected VPN installer, antivirus vendor Bitdefender has revealed.
The company’s joint research with cybersecurity firm Blackpoint revealed that components of the Iranian-made EyeSpy malware were being injected “by trojanized VPN software installers (also developed in Iran)”.
The majority of the targets were within the country’s borders, only a few casualties were in Germany and the United States.
This is of particular concern in a country like Iran, where using one of the best VPN services has increasingly become a necessity. Whether it’s to circumvent its strict online censorship or to maintain anonymity to avoid dangerous government surveillance. Most likely, a mix of both.
At the same time, a harsh crackdown on Iranian VPN services could drive people to unsecured third-party provider sites. This makes such a spyware campaign even more dangerous for the privacy and security of Iranians.
Anti-dissident software?
“In light of recent events, it is possible that the targets are Iranians who want to access the internet through a VPN to circumvent the country’s digital lockdown. Such malicious installers could plant spyware on people who pose a threat to the regime,” Bitdefender reports. (opens in a new tab) Noted.
Developed by Iranian company SecondEye, EyeSpy is legitimate surveillance software sold to companies as a way to monitor the activities of employees working remotely.
The attackers have been observed using components of the legitimate application in malicious ways to infect users who download the Iranian VPN service 20Speed and spy on their activities.
Once injected into a device, the malware can spy on virtually every activity and collect tons of sensitive data. These include stored passwords, crypto wallet data, documents and images, clipboard contents, and keypress logs.
“Malware components are scripts that steal sensitive system information and upload it to an FTP server owned by SecondEye,” Bitdefender explained.
“This can lead to complete account takeovers, identity theft, and financial loss. Additionally, by recording key presses, attackers can obtain messages typed by the victim on social media or email. -mail, and this information can be used to blackmail victims”.
The campaign appears to have been active since May 2022, with an increasing number of attacks following the wave of anti-government protests that began in September.
VPN downloads in Iran skyrocketed as a result, peaking at over 3,000% increase by the end of the month.
A VPN is widely used by Iranian citizens to access restricted apps like Instagram and WhatsApp. But, as the government increasingly charges dissidents with harsh penalties, including the death penalty, additional security software is also needed to protect sensitive data.
As more and more Iranians download a virtual private network onto their devices, authorities do little to crack down on reliable VPN services.
Many providers are currently blocked in Iran, which means third-party VPN installers are becoming increasingly popular. According to Iran International (opens in a new tab), 20Speed VPN is actually one of the most popular websites Iranians go to buy their VPN subscriptions. More than 100,000 are the active installations of its Android VPN app.
To combat such malware campaigns, Bitdefender experts recommend “using well-known VPN solutions downloaded from legitimate sources. Additionally, a security solution, such as Bitdefender, can protect against information thieves “.
