A cyberthreat actor has created a web site that promotes a fake VPN program that installs the Vidar and CryptBot password-stealing trojans. These trojans will then attempt to steal saved browser credentials and other information from a victim's computer.
While investigating a different malware infection, BleepingComputer stumbled upon a website promoting a VPN program called 'Inter VPN' that claims to be the "fastest VPN". It then shows an image of the VPN client, which is actually an image of the legitimate VPN Pro software.
Fake Inter VPN Web Site
After analyzing the downloaded program, it was discovered that this attacker repackaged the VPN Pro application inside a trojan that uses an AutoHotKey script to download other malware.
When launched, a AutoHotKey script will be executed that sends a variety of information to iplogger.org and then downloads Vidar and CryptBot executables from bitbucket.org depending on the current campaign being distributed on the site.
Autohotkey Script to download other files
When the trojans are downloaded, they will be executed and being to collect various information from the computer that will be uploaded to the attacker. This information includes saved browser credentials, cookies, screenshot of the desktop, text files, cryptocurrency wallets, and much more.
CryptBot traffic
Vidar Traffic
During this process the trojan will also install the VPN Pro software onto the computer, and as the data theft is happening in the background, the victim will not think anything is wrong as they test the VPN.
Legitimate VPN Pro software
To protect themselves, users should make sure the site they are visiting is the legitimate URL for an associated service or application. Furthermore, if these sites offer any downloads, they should be scanned using VirusTotal before being executed.
Comments
Post a Comment