As with any popular technology, Virtual Private Networks (VPNs) are also used by cybercriminals as bait for spreading threats. In this entry, we share how threat actors are bundling Windscribe VPN installers with backdoors. Backdoors allow cybercriminals to gain access and control of computers remotely without the need for proper authentication. The specific backdoor here is detected by Trend Micro as Backdoor.MSIL.BLADABINDI.THA, while the associated malicious files are detected by Trend Micro as Trojan.MSIL.BLADABINDI.THIOABO.
It is important to point out that the installers examined in this report come from fraudulent sources and are not from Windscribe’s official download center or app stores for Google and Apple. Notably, cybercriminals have previously used the technique of bundling legitimate installers with malicious files for luring users on other platforms such as video conferencing apps.
The use of a VPN secures the communication between a user’s computer and the internet by encrypting the connection, thus keeping data secure from spying attempts. VPNs have always been useful but are now relied on more than ever as many companies remain in work-from-home (WFH), away from the presumably more secure office network environment.
Analyzing the malicious files bundled with the installer
To begin with, a user likely gets the file from malicious sources, not knowing that they are downloading a bundled application instead of the legitimate installer alone. The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs).
The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background.
Without the user’s knowledge, the file lscm.exe stealthily acts in the background by downloading its payload from a website. This website then redirects the user to another page to download an encrypted file named Dracula.jpg.
This file, which is obfuscated, has a decryption routine for the first layer stating that all “DTA” should be replaced by “14” and then that the file should be string-reversed. Afterward, it also states that the hex value should be converted to a string. The value will then become an encoded base64 file.
Decrypting Dracula.jpg’s layers of encryption reveals the backdoor payload.
The backdoor can also perform some commands like downloading, executing, and updating files, as well as taking screenshots of the user’s screen.
Besides these, the malware gathers the following information:
- Antivirus products
- Machine name
- Operating system
Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats. Therefore, everyone should be reminded that the download of any application must only be coursed through legitimate avenues such as the app’s official download centers and other legitimate app marketplaces.
Today, many companies still use VPNs for their WFH setups. Although the home is a place for relaxation, users should never let their guard down when it comes to the security of their devices. Rather, it is best for users to stay vigilant in taking steps to protect their data.
As prevention is better than cure, the best method to avoid malicious files is to be careful not to download them from their sources. For this, the following measures are recommended:
- Download applications and files only from official download centers and app stores. When in doubt about the download source, it is best to consult with the IT team of one’s company.
- Scrutinize URLs to distinguish between spoofed domains of download centers (or app stores) and the legitimate ones. Keep in mind that misspelled domain names are red flags.
- Never download apps and other files from emails sent by untrusted sources.
- Do not select any links from suspicious emails. Instead, hover over a link to get a preview of the URL where the embedded link is supposed to lead to.
Lastly, we recommend Trend Micro™ WiFi Protection, which ensures secure internet connection both at home and in public places. It also filters and blocks malicious websites, online fraud, and internet scams.
Indicators of Compromise
Trend Micro Pattern Detection