The new normal has led to the recent shift to remote working. User have turned on to the VPN services to stay secure while working from home and protect their privacy online. A new research by Trend Micro has revealed that cybercriminals are distributing fake VPN installers and backdoors.
A firm research has shown that VPN installer for Windscribe is getting distributed online that includes backdoors through which cybercriminals can gain access and take control of computers remotely without the need for proper authentication.
The installers found by Trend Micro come from different fraudulent sources and are not from Windscribe official download library or Google Play Store or Apple App Store. Cybercriminals have successfully used the same technique in the past to bundle legitimate video conferencing apps with malicious files containing trojans.
Why VPN?
Users can easily secure the communication between a computer and the internet using a VPN. The VPN encrypts the connection while keeping your data safe and secure. It prevents spying attempts by the attackers or cybercriminals.
However, as more and more businesses and consumers have started using VPN services while working from home, cybercriminals have seized the opportunity to use them by distributing malware, malicious files, and trojans.
Bundling Malicious Files with VPN installers
Users often fall victim to lucrative campaigns and end up downloading a VPN installer from malicious sources, being unaware that they are downloading a bundled application instead of a legitimate installer.
According to the latest report by Trend Micro, the bundled applications drop three components in the users’ system – the legitimate VPN installer, the malicious file (generally with name Iscm.exe) which contains a backdoor, and an application (win.vbs) that serves as a runner of the malicious file in the user’s system.
The Iscm.exe file stealthily acts in the background by downloading the payload from a website which is controlled by cybercriminals during the installation. The website then redirects the user to another page to download an encrypted file with the name Dracula.jpg. This obfuscated file needs to be decrypted before it reveals the backdoor payload.
The backdoor itself is capable of performing a number of commands such as downloading, executing, and updating the files as well as capturing screenshots of the user’s screen. In addition to this, it collects information about the user’s system including if they have any antivirus product installed, the operating system, the machine name, and their username.
How to Avoid VPN installer Backdoor?
To prevent falling into the trap of this crap, it is recommended that users only download the applications and files from official websites, download centers, scrutinize URLs to distinguish between legitimate domains and the spoofed ones. Also, don’t download apps and files from the emails you receive from untrusted sources, and do not click on any links in suspicious emails.
The Bottom Line
Enterprises and individual users like to employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats. Therefore, everyone should remember that the download of any application must be coursed through legitimate avenues such as the official website, download centers, and other legitimate marketplaces.
Modern-day companies still use VPNs for their Work from Home setups. Although the home is a place for relaxing, users should never guard down when it comes to the security of devices. It is best for users to stay vigilant in taking the right steps to protect their data. So, think before you download a VPN installer from untrusted sources.