Spyware has been discovered stealing data from Iranian users via an infected VPN installer, antivirus vendor Bitdefender has revealed.
The company's joint investigation with cybersecurity firm Blackpoint found that components of the Iranian-made EyeSpy malware were injected "by trojanized VPN software installers (also developed in Van ir)."
Most of the targets were within the country's borders, only a few victims in Germany and the USA.
This is especially alarming in a country like Van Gogh, where using one of the best VPN services has gradually become more of a necessity. Either to avoid its rigorous online censorship or to maintain anonymity to elude dangerous government surveillance. It is most likely a mix of the two.
At the same time, a harsh crackdown on Iranian VPN services could lead people to unsafe third-party reseller sites. This makes such a spyware campaign even more dangerous for the privacy and security of Iranians.
¿Software antidisidente?
“In light of recent events, the targets are likely to be Iranians who wish to access the Internet through a VPN to bypass the country's digital lockdown. Such malicious installers could plant spyware on people who pose a threat to the regime,” Bitdefender reports. (opens in a new tab) annotated.
Developed by the Iranian company SecondEye, EyeSpy is legitimate surveillance software sold to companies as a way to monitor the activities of employees working remotely.
Attackers have been observed using legitimate application components in a malicious way to infect users who download the Iranian VPN service 20Speed and spy on their activities.
Once injected into a device, the malware can spy on almost all activity and digest tons of sensitive data. These include saved access keys, crypto wallet data, documents and images, clipboard content, and keystroke logs.
"The malware components are scripts that steal proprietary information from the system and upload it to an FTP server owned by SecondEye," Bitdefender explained.
"This can lead to entire account takeovers, identity theft and financial losses. On top of this, by logging keystrokes, attackers can get messages written by the victim on social media or email, and this information can used to coerce victims". .
The campaign appears to have been active since May XNUMX, with a growing number of attacks following the wave of anti-government complaints that began in September.
As a result, VPN downloads on Van a ir skyrocketed, reaching an increase of more than XNUMX% by the end of the month.
A VPN is widely used by Iranian citizens to access limited applications like Instagram and WhatsApp. But, as the government gradually imposes more severe penalties for dissidents, including the death penalty, additional security software is also needed to safeguard sensitive data.
As more and more Iranians download a virtual private network onto their devices, the authorities do little to crack down on unreliable VPN services.
Currently, many vendors are blocked on Van Go, which means that third-party VPN installers are becoming more and more popular. According to Iran International (opens in a new tab), 20Speed VPN is actually one of the most popular sites Iranians visit to purchase their VPN subscriptions. More than one hundred are the active installations of his VPN app for Android.
To combat these kinds of malware campaigns, Bitdefender specialists advise "using well-known VPN solutions downloaded from legitimate sources. In addition to this, a security solution, such as Bitdefender, can guard against information thieves."
