Spyware has been discovered stealing user data from Iran via a compromised VPN installer, antivirus vendor Bitdefender has revealed.
A joint company investigation with cybersecurity firm Blackpoint found that components of the Iranian EyeSpy malware were injected “via trojanized installers of VPN software (also developed in Iran)”.
Most of the targets were within the country, with only a few victims in Germany and the USA.
This is especially worrying in a country like Iran, where using one of the best VPN services is becoming more and more a necessity. Whether it’s to bypass strict internet censorship or to remain anonymous to avoid dangerous government surveillance. Most likely a mix of both.
At the same time, a harsh crackdown on Iranian VPN services could push people to insecure third-party sites. This makes such a spyware campaign even more dangerous to the privacy and security of Iranians.
“In light of recent events, it is possible that the target is Iranians who want to access the internet via VPN to bypass the country’s digital lockdown. Such malicious installers can install spyware on people who pose a threat to the regime.” Bitdefender Report (opens in a new tab) recorded.
Developed by Iranian company SecondEye, EyeSpy is legitimate surveillance software marketed to companies as a way to monitor the activities of employees working remotely.
The attackers were observed to use components of a legitimate application in a malicious way to infect users downloading the Iranian 20Speed VPN service and spy on their activities.
Once injected into a device, malware can spy on virtually any activity and collect tons of sensitive data. This includes stored passwords, cryptocurrency wallet data, documents and images, clipboard contents, and keystroke logs.
“Malware components are scripts that steal sensitive information from the system and upload it to a SecondEye-owned FTP server,” Bitdefender explained.
“This can lead to complete account takeover, identity theft and financial loss. Furthermore, by logging keystrokes, attackers can obtain messages that the victim types on social media or emails, and this information can be used to blackmail victims.”
The campaign appears to have been active since May 2022, with the number of attacks increasing after a wave of anti-government protests that began in September.
Following this event, VPN downloads in Iran skyrocketed, peaking at over 3,000% by the end of the month.
VPN is largely used by Iranian citizens to access restricted apps like Instagram and WhatsApp. However, as the government increasingly imposes harsh sentences on dissidents, up to the death penalty, additional security software is also necessary to protect sensitive data.
While more and more Iranians are downloading a virtual private network to their devices, the result is that the authorities are hardly cracking down on reliable VPN services.
Many providers are currently blocked in Iran, which means third-party VPN installers are on the rise. According International Iran (opens in a new tab). 20Speed VPN is actually one of the most popular websites where Iranians buy VPN subscriptions. Over 100,000 are active installations VPN App for Android.
To combat such malware campaigns, Bitdefender experts recommend “using well-known VPN solutions downloaded from legitimate sources. In addition, a security solution like Bitdefender can protect against information theft.”