Legitimate VPN Installer Trojanized
The trojanized Windows installer for Windscribe VPN was discovered by researchers at TrendMicro. In their report, TrendMicro states that they discovered the trojanized installer on third-party download sites. The installers on Windscribe’s official download center or from Google’s and Apple’s app stores have not been tampered with. Individuals download applications from third-party download sites because they are cheaper on such sites or even free. However, these third-party sites do not always just provide the legitimate installation file. Sometimes cybercriminals bundle the legitimate file along with malicious files into a package. These packages include the legitimate installation file’s icon, or an identical copy of it, to make the packages appear legitimate. Consequently, individuals who download such packages are unlikely to notice that there may be something wrong with them.
How the Trojanized Installer Works
Bundling malware, such as Trojans as in this case, with legitimate applications is a popular technique amongst cybercriminals to compromise devices. Trojan’s are used by cybercriminals to create backdoors onto user devices or company networks. The malicious VPN installer discovered by TrendMicro is infected with the Bladabindi remote access Trojan, also known as NJ Rat. The Bladabindi backdoor allows cybercriminals to gain access to and remotely control victims’ computers without proper authentication. When individuals run the malicious installer package, the package installs the Windscribe VPN application. However, while the legitimate application is installing, the package also runs a file in the background that in turn downloads the required malware from a website. Since the file runs in the background, the victim is not aware that this is happening. TrendMicro explains that “The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background.”
Backdoor’s Capabilities
With the Bladabindi backdoor installed on a victim’s computer, cybercriminals can:
Collect information about the computer, such as IP address, computer name, computer location and full username Determine what antivirus products and/or operating system have been installed Take screenshots of the victim’s screen Remotely download, execute and update files Remotely execute commands, kill processes and manipulate the system registry Control the computer’s camera and microphone Log keystrokes Steal passwords stored in browsers and in other applications
Recommendations
To help prevent users from becoming victims of this malicious VPN installer, TrendMicro provides the following recommendations in their report:
Do not download applications and files from unknown third-party sources. Only download these from official download centers and application stores. Check the website’s URL to see if it contains the legitimate domain name for the application’s official website. Also check app stores’ domain names as shown in the website’s URL. Check for misspellings or “not quite right” domain names. Do not download applications and other files from unknown or suspicious email addresses as these may be phishing emails. Also do not click on links contained on such emails. Rather hover over a link first to get a preview of the link’s URL and see where it leads before clicking.