Fake VPN Sites Distributing Various Malware Strains
Threat Actors (TAs) commonly employ fake phishing websites as their preferred method for distributing malware. This is due to the ease of luring victims into clicking on links contained in phishing emails or sms. TAs often use brand impersonation in their phishing campaigns to deceive users effectively, creating an illusion of trustworthiness and legitimacy to trick unsuspecting individuals.
Cyble Research and Intelligence Labs (CRIL) previously reported the discovery of numerous phishing sites targeting various applications, including Games, VPNs, Remote Desktop Applications (RDP), Video conferencing applications, Online converter tools, and more. In the latest campaign, TAs are focusing on targeting users of VPN applications. VPN, which stands for Virtual Private Network, is a technology that enables users to establish a secure and private network connection over a public network like the Internet. When users connect to a VPN, their data is encrypted, guaranteeing its confidentiality and safeguarding it from potential eavesdropping or surveillance.
Recently, CRIL discovered the existence of numerous counterfeit LetsVPN websites while conducting a routine threat-hunting exercise. These fraudulent sites share a common user interface and are deliberately designed to distribute malware, masquerading as the genuine LetsVPN application.
LetsVPN is a VPN application developed by LetsGo Network that aims to enhance your internet experience by providing high-speed connectivity while ensuring user’s device security. LetsVPN offers a range of useful features, including peer-to-peer functionality, support for multiple protocols, the ability to browse in different languages, a kill switch for added security, policy management options, and more.
The phishing website closely resembles the legitimate LetsVPN website in both design and appearance, as depicted in the figure below.
The below figure shows the “Whois” information of the phishing domain, indicating that the domain has been registered recently and has been actively targeting LetsVPN users.
Multiple phishing sites mimicking the legitimate LetsVPN website have been identified. These fraudulent sites are designed to deceive victims by appearing genuine and enticing them to download malware payloads.
The fake LetsVPN sites which are currently in use include:
These deceptive sites serve as a platform to distribute the BlackMoon banking trojan as a payload. The malware is disguised as a legitimate VPN application and can be obtained through the following URLs:
BlackMoon, also known as KRBanker, is a banking trojan that focuses on stealing sensitive information associated with online banking and financial transactions. Initially discovered in early 2014, BlackMoon has evolved over time, adopting multiple infection methods and techniques for capturing credentials. Its primary targets are individuals and organizations that utilize online banking services.
To infect a victim’s computer or device, the BlackMoon TAs employ various methods, including malicious email attachments, exploit kits, or compromised websites. Once successfully installed, the trojan operates discreetly in the background, concealing its presence from the user.
BlackMoon malware has various capabilities enabling it to carry out malicious activities. These may include:
- Keylogging: The malware captures keystrokes that the victim enters, including usernames, passwords, and other sensitive information. This captured data is then transmitted to a Command-and-Control (C&C) server controlled by the TAs.
- Web Injection: BlackMoon can modify the content displayed by a victim’s web browser, allowing it to manipulate webpages related to online banking. This enables the TAs to gain additional information, such as security codes or transaction details.
- Remote Access: The trojan provides remote access to the TA, allowing them to control the infected system, exfiltrate data, or perform other malicious activities.
- Account Hijacking: BlackMoon may attempt to take control of the victim’s online banking account, allowing the TA to initiate fraudulent transactions or gain unauthorized access to sensitive financial information.
Currently, there are additional active counterfeit LetsVPN sites in existence, which include:
The three fraudulent websites mentioned above are associated with distributing the Farfli Backdoor malware. The payload is downloaded onto the user’s machine through the utilization of the following URLs:
Backdoor.Farfli is a well-known malware with multiple capabilities allowing TAs to perform various malicious actions. These actions encompass downloading and executing additional malicious files, logging users’ keystrokes in addition to having the ability to shut down or terminate the compromised systems, and more.
The Backdoor.Farfli malware possesses a range of capabilities that facilitate its malicious operations. These capabilities include:
- Establishes an unauthorized access point on a compromised computer.
- Grants remote access control of the computer to the threat actor.
- Download additional malicious files from a C&C server.
- Record keystrokes made by its victims
- Collects confidential data and sensitive information from a victim’s machine and exfiltrates it.
- Maintains consistent communication with a C&C server to facilitate data transfer, malware updates, and the reception of malicious commands.
Payload: KingSoft (PUA)
Another counterfeit LetsVPN site utilized by TA is mentioned below:
This specific website is involved in the distribution of the Potentially Unwanted Application (PUA) called KingSoft. The PUA is disguised and made available through the following URL:
Kingsoft PUA denotes potentially unwanted applications that are classified as such based on specific behavior or features that users may find undesirable or intrusive. These applications, including browser toolbars, adware, and similar software, may exhibit behavior that has the potential to compromise user privacy or security. These PUA’s behaviors can vary depending on the specific application or software involved.
However, some common behaviors exhibited by Kingsoft PUA include:
- Excessive or intrusive advertisements, such as pop-ups, banners, or online ads, are displayed.
- Unauthorized modifications to web browsers, such as changes to the homepage, search engine, or installation of browser extensions.
- Collection of user data, including browsing habits, search queries, and personal information, without consent.
- Inclusion of unwanted software during installation as part of a bundle with other software.
VPN applications have gained popularity among users worldwide due to the enhanced control they offer over online privacy, security, and content access. However, the widespread usage of VPNs has also drawn the attention of TAs, who exploit this by impersonating legitimate VPN sites and distributing different types of malware. Our research uncovered instances where TAs cleverly impersonated the LetsVPN website, disseminating various malware strains. To safeguard themselves, users must exercise caution when encountering such phishing sites and verify the source before downloading any application.
CRIL continuously monitors phishing campaigns and malicious attacks, whether they are in progress or emerging. Our commitment is to regularly provide our readers with the latest findings and analysis regarding these threats.
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Avoid downloading pirated software from warez/torrent websites. The “Hack Tool” present on sites such as YouTube, torrent sites, etc., mainly contains such malware.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Update and upgrade your computer, mobile, and other connected devices.
- Refrain from opening untrusted links and email attachments without first verifying their authenticity.
- Educate employees on protecting themselves from threats like phishing/untrusted URLs.
- Block URLs that could be used to spread the malware, e.g., Torrent/Warez.
- Monitor the beacon on the network level to block data exfiltration by malware or TAs.
- Enable Data Loss Prevention (DLP) Solutions on the employees’ systems.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
Command and Scripting Interpreter
|Privilege Escalation||T1055||Process Injection|
Obfuscated Files or Information
Disable or Modify Tools
System Information Discovery
File and Directory Discovery
Security Software Discovery
|Collection||T1185||Browser Session Hijacking|
Indicators of Compromise (IOCs)