Antivirus provider Bitdefender has revealed that it has detected spyware that steals Iranian users’ data via an infected VPN installer.
The company’s joint research with cybersecurity firm Blackpoint found that components of the Iranian-made EyeSpy malware are injected “through VPN Trojan installers (also developed in Iran)”.
The majority of the targets were within the country’s borders, and only a few victims were found in Germany and the United States.
This is particularly worrisome in a country like Iran, where using the best VPN services is becoming an increasing necessity. Whether this is to bypass strict internet censorship, or to maintain anonymity to avoid dangerous government surveillance. Most likely, a combination of the two.
At the same time, a crackdown on Iranian VPN services may push people towards unsafe third-party vendor websites. This makes this spyware campaign even more dangerous to Iranians’ privacy and security.
Anti-spyware for opponents?
Bitdefender report: “In light of recent events, it is likely that those targeted are Iranians who want to access the internet via a VPN to bypass the country’s digital lockdown. Such malicious installers can plant spyware on people who pose a threat to the system.” (Opens in a new tab) pointed out.
Developed by Iranian company SecondEye, EyeSpy is legitimate monitoring software sold to companies as a way to monitor the activities of employees working remotely.
It was observed that the attackers were using legitimate application components in a malicious manner to infect users by downloading the Iran-based 20Speed VPN service and spy on their activities.
Once injected into the device, the malware can spy on virtually every activity and collect tons of sensitive data. This includes stored passwords, encrypted wallet data, documents, images, contents from the clipboard, and records keystrokes.
“The malware components are scripts that steal sensitive information from the system and upload it to an FTP server belonging to SecondEye,” Bitdefender explained.
“This can lead to full account takeovers, identity theft, and financial loss. Furthermore, by logging keystrokes, attackers can obtain messages written by the victim on social media or email, and this information can be used to extort victims.” .”
The campaign appears to have been active since May 2022, with the number of attacks increasing in the wake of the wave of anti-government protests that began in September.
Iran VPN downloads soared after that, peaking at more than 3,000% by the end of the month.
VPN is It is largely used by Iranian citizens to access blocked applications such as Instagram and WhatsApp. But as the government increasingly charges dissidents with harsh sentences that amount to the death penalty, additional security software is also necessary to protect sensitive data.
While more and more Iranians are downloading a VPN to their devices, the authorities are hardly cracking down on reliable VPN services as a result.
Many providers are currently blocked in Iran, which means that third party VPN installers are increasingly popular. According to Iran International (Opens in a new tab)In fact, 20Speed VPN is one of the most popular websites Iranians turn to to purchase their VPN subscriptions. More than 100,000 are its active formulations Android VPN app.
To combat malware campaigns, Bitdefender experts recommend “using known VPN solutions that are downloaded from legitimate sources. A security solution, such as Bitdefender, can also protect against information stealers.”
