A compromised VPN installer is used to distribute surveillance software called EyeSpy as part of a malware campaign launched in May 2022.
It uses “SecondEye’s component (a legitimate surveillance application) to spy on users of Iran-based VPN service, 20Speed VPN, via trojanized installers,” said Bitdefender in its analysis.
The US Romanian cybersecurity firm added that SecondEye claims to be commercial surveillance software that can act as a “parental control system or online watchdog,” according to a snapshot obtained via the Internet Archive.
As of November 2021, SecondEye will retail for between $99 and $200.
Various tools that can take screenshots, record microphones, record keystrokes, collect files and save passwords from web browsers, remotely control machines and execute arbitrary commands features.
SecondEye drew attention in August 2022 when it revealed that Blackpoint Cyber used spyware engines and infrastructure to store data and payloads for use by unknown attackers. The initial access mechanism used in these incidents is currently unknown.
Bitdefender’s Director of Threat Research and Reporting, Bogdan Botezatu, said despite using the same spyware component, there was insufficient evidence to link the two campaigns to one campaign.
The latest series of attacks began when an unsuspecting user downloaded a malicious executable from the 20Speed VPN website. This suggests two plausible scenarios. Either her 20Speed VPN’s servers hosting spyware have been compromised, or spyware is a deliberate attempt to spy on you.
People may have downloaded a VPN app to circumvent internet outages in the country. Once installed, it launches a legitimate VPN service, stealthily initiates a series of malicious activities in the background to establish persistence, and downloads the next level payload from the host. collect personal data.
EyeSpy can completely compromise your online privacy by keylogging and stealing sensitive information such as documents, images, cryptocurrency wallets and passwords. Bitdefender researcher Janos Gergo Szeles said, “This can lead to complete account takeover, identity theft, and financial loss.”