Criminals are distributing fake VPN installers with backdoors built in

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)

The recent shift to remote working has led users to turn to VPN services to stay secure and protect their privacy online but new research from Trend Micro has revealed that cybercriminals are now distributing fake VPN installers with backdoors.

The firm's researchers discovered VPN installers for Windscribe being distributed online that also included backdoors which allow cybercriminals to gain access and control of computers remotely without the need for proper authentication.

It's worth noting that the installers found by Trend Micro come from fraudulent sources and are not from Windscribe's official download center or from the Google Play Store or Apple App Store. Cybercriminals have used this same technique in the past to bundle legitimate video conferencing apps with malicious files.

By using a VPN, users can secure the communication between their computers and the internet by encrypting the connection which keeps data secure and prevents spying attempts. However, as businesses and consumers alike have started using VPN services while working from home, cybercriminals have seized this opportunity to use them to distribute malware and other malicious files.

Bundling malicious files with VPN installers

Users who fall victim to this latest campaign likely get their VPN installer from malicious sources and are unaware they are downloading a bundled application instead of the legitimate installer by itself. 

According to a new report from Trend Micro, the bundled application drops three components on a user's system: the legitimate VPN installer, the malicious file (named Iscm.exe) that contains the backdoor and the application that serves as the runner of the malicious file (win.vbs).

During installation, the file Iscm.exe stealthily acts in the background by downloading its payload from a website controlled by cybercriminals. This website then redirects the user to another page to download an encrypted file named Dracula.jpg. This obfuscated file needs to be decrypted before revealing the backdoor payload.

The backdoor itself can perform a number of commands such as downloading, executing and updating files as well as taking screenshots of the user's screen. Additionally, it gathers information about a user's system including if they have any antivirus products installed, the machine name, the operating system and their username.

To prevent falling victim to this new campaign, Trend Micro recommends that users only download applications and files from official download centers and app stores, scrutinize URLs to distinguish between spoofed domains and legitimate ones, don't download apps and files from emails sent by untrusted sources and that they do not click on any links in suspicious emails.

  • Also check out our complete list of the best VPN services
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.