Infected VPN installers are being abused to spread EyeSpy as part of a malware campaign. The campaign started in May 2022 and is targeting 20Speed VPN users through trojanized installers.
Iranian VPN users on the target
According to Bitdefender, most of the EyeSpy infections originated in Iran, with few detections in the U.S. and Germany. The recent attack chain starts when a user downloads a malicious executable from 20Speed VPN's website.
- There are two possible scenarios: either its servers were breached to host the spyware or it's an attempt to spy on users who might download VPN apps to avoid internet blackouts in the country.
- Once installed, the VPN service stealthily starts illegal activities in the background to enable persistence.
- Further, the spyware download next-stage payloads for getting personal data from the host.
More on EyeSpy
Security experts revealed that EyeSpy was developed using components of SecondEye.
- It has the ability to fully compromise the privacy of a user via keylogging and stealing information from documents, images, crypto wallets, and more.
- Its infection can lead to identity theft, complete account takeovers, and financial loss.
SecondEye’s background
SecondEye is a commercial monitoring software that works as a parental control system or online watchdog.
- It comes with a wide range of features such as taking screenshots, logging keystrokes, recording microphones, gathering files, saving passwords from browsers, and remotely controlling systems.
- SecondEye was previously spotted in August 2022 when its spyware modules and infrastructure were used for data and payload storage.
Closing thoughts
EyeSpy malware hides behind the popular VPN service and also abuses the components of the genuine monitoring tool SecondEye. Experts recommend genuine VPN solutions downloaded via official websites.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/5c1b_shutterstock_1439959244.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/0f6c_shutterstock_2005363490.jpeg)
