Bitdefender discovered a malware campaign that uses components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers. Here is what Janos Gergo SZELES and Bogdan BOTEZATU, members of Bitdefender’s team, share about their discovery:

Context

During a routine analysis of detection performance, we noticed a batch of processes that respected the same pattern in the process names. These names begin with sys, win or lib followed by a word that describes the functionality, such as bus, crt, temp, cache, init, and end in 32.exe. We later noticed that the .bat files and the downloaded payloads respect the same naming convention. Further investigation revealed the components are part of a monitoring application called SecondEye, developed in Iran and distributed legitimately via the developer’s website. We also found that some spyware components were already described in an article published by Blackpoint. In the article, researchers drew attention to the dangers of legally distributed monitoring software with malicious behavior.

Our own researchers, as well as Blackpoint’s, found the campaigns used components of the SecondEye suite and their infrastructure. However, these components were not delivered through a legitimate SecondEye installer but rather through Trojanized installers of VPN software (also developed in Iran) that dropped the spyware components along with the VPN product.

Attack at a glance

  • Bitdefender has discovered a malware campaign that uses components of SecondEye – a legitimate monitoring application – to spy on users of 20Speed VPN, an Iranian-based VPN service, via trojanized installers.
  • EyeSpy has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.
  • The campaign started in May 2022, but detections peaked in August and September. Most of these detections originate from Iran, with a small pool of victims in Germany and the US.

Indicators of Compromise

An up-to-date, complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users. Currently known indicators of compromise can be found in a whitepaper which can be downloaded at the end of this article.

___

If this information is helpful to you read our blog for more interesting and useful content, tips, and guidelines on similar topics. Contact the team of COMPUTER 2000 Bulgaria now if you have a specific question. Our specialists will be assisting you with your query. 

Content curated by the team of COMPUTER 2000 on the basis of news in reputable media and marketing materials provided by our partners, companies, and other vendors.

Follow us to learn more

CONTACT US

Let’s walk through the journey of digital transformation together.

By clicking on the SEND button you agree to the processing of personal data. In accordance with our Privacy Policy

3 + 13 =