Virtual Private Networks (VPN’s) are a popular technology that gives you online privacy and anonymity by creating a private network from a public internet connection.
VPN’s mask your internet protocol (IP) address so your online actions are virtually untraceable.
But like many popular technologies, cyber-criminals find ways to use them as bait for spreading threats.
In the recent world of cyber threats comes a fraudulent VPN installer with back-doors that allow cyber-criminals to gain access and control of computers remotely without any sort of proper authentication needed.
The backdoor we are talking about in this article is detected by Trend Micro as Backdoor.MSIL.BLADABINDI.THA , while associated malicious files are detected by Trend Micro as Trojan.MSIL.BLADABINDI.THIOABA .
We want to point out that these back-doors are fraudulent and are NOT from Windscribe’s official download center or app stores for Google or Apple, yet they do look pretty authentic.
What cyber-criminals do is they bundle these malicious files with legitimate installers and lure users on other platforms like video conferencing apps.
Another way that they do this is by creating “fake” download sites and promoting them via Google Search ads.
For example, a reddit user googled “ free vpn” and found a malicious website is using Google AdWords to advertise the suspicious domain.
As you can see from the screenshot below, we’ve circled this suspicious website that says it is the World’s fastest VPN but the website is www(.)wlndscrlde(.)com – not Windscribe.com – note that they replaced the “i” with an “l” and the “b” with a “d’ :
For the untrained or hurried eye, you may not notice that this is a malicious site and the download will give the hackers access to your system.
If you were to download a file from a malicious source, like the one above, the bundled application drops three components into the users system:
- The legitimate VPN installer
- The malicious file which is named lscm.exe and contains the backdoor
- The win.vbs application that serves as the runner of the malicious file
The user will see an installation window on their screen which masks that malicious activity that is actually occurring in the background!
Once the backdoor infiltrates the system, it can perform commands like downloading, executing, and updating files, as well as taking screenshots of the user’s screen.
The malware also gathers information like the machines name, operating system, username, and antivirus products.
Although VPN’s are used to increase a systems security, accidentally downloading an installer bundled with the malicious files will do the exact opposite.
With more and more organizations having employees work virtually, there have been in increase in these types of malicious attacks.
Organizations should be proactive about teaching employees to look for threats and files that may be infected.
For more information on how exactly this malicious software works, read the full report here on trendmicro.com.