Iranian spyware steals information from people via VPN

Private cybersecurity company Bitdefender has revealed information about an Iranian spyware that steals people’s sensitive information via VPN software.

The published Romanian company reported on attempts by the Iranian regime to phish information about people using virtual private networks — or VPNs — to circumvent strict government restrictions on internet access.

Iran has been filtering internet content for more than two decades, but for the past four months, amid anti-government protests, the government has regularly shut down access and blocked popular apps like Instagram and WhatsApp.

While most people around the world take internet access for granted, users in Iran have to try dozens of apps and VPNs before finding a way to bypass ISP restrictions. And while some VPNs are fake or blocked, there are some others that are intentionally laced with malware, such as: B. the 20Speed ​​​​VPN. This spyware enters the victim’s computer while the user installs the filter-breaking file.

Since 2020, when people started working from home, it has become a problem for companies to monitor their employees’ activities and productivity. The solution comes in the form of monitoring software. One of the companies offering such services is SecondEye with numerous features not limited to screen recording, keystroke logging and live screen viewing. The surveillance application was developed in Iran and is lawfully distributed through the developer’s website.

Earlier this year, Blackpoint Cyber, which specializes in stopping cyber threats, identified and responded to two identical suspicious File Transfer Protocol (FTP) events connected to a server in Iran within two months. This server has been designated as the property of SecondEye.

Researchers from Bitdefender and Blackpoint discovered a malware campaign that uses components of the SecondEye suite and its infrastructure – a legitimate monitoring application – to spy on users of the Iran-based VPN service 20Speed, but through the VPN service’s trojan-like installers Software that installed the spyware components along with the VPN product. The software, as well as another EyeSpy product, can completely compromise online privacy through keylogging and stealing of sensitive information such as documents, images, crypto wallets and passwords.

Screenshot of the main page of 20Speed ​​​​VPN, a spyware disguised as a regular VPN that enters the victim’s computer and steals their confidential information

The campaign began in May 2022, but detections peaked in August and September when Iranians rushed to use VPNs to bypass government restrictions. Most of the new discoveries come from Iran, with a small pool of victims in Germany and the US.

20Speed ​​website is one of the most popular websites from which Iranians buy their VPN subscriptions. The site has been active among Iranian users for about seven years. But if its VPN is riddled with malware and collects personal information, the company can’t protect it from the Iranian intelligence agencies, who can easily demand and get access.

According to data from the US company Similarweb, which reviews and analyzes the statistics of the world’s websites and provides behind-the-scenes analytics for each website, 20Speed’s main website had about a million visits in the three months ended December 2022, the most of them from Iran. In addition, the Android version of this VPN, which is also available on the Google Play Store, has more than 100,000 active installs.

In early January, the Islamic Republic decided to crack down on those selling VPNs and bypass software to people to further restrict access to the internet. The Justice Department, in cooperation with the Ministry of Communications, will take legal action against “unauthorized sellers of the VPNs and bypass tools,” local media reported. This is a measure to curb true VPNs versus software that the government can control.

Almost all companies selling VPN services in Iran are affiliated with the government or governmental organizations. Most of these companies have drastically increased their fees over the past three months, as Iranians have rushed to buy them to access the internet. Many Iranians are unable to afford the higher VPN prices as the cost of groceries and other necessities have skyrocketed.

In the long term, if this trend continues, it is possible that people with lower incomes will gradually lose their access to the global internet, similar to what has happened in China and currently in Russia. The security of such services is another issue as the Islamic Republic can easily retrieve any data that the users access via VPNs.

Amid tightened restrictions on internet access, Iranians’ use of VPNs rose by over 3,000 percent in September when Mahsa Amini was killed.

“Daily demand for VPN services in Iran has increased by over 3,000% compared to before the protests,” Simon Migliano, head of research at Top10VPN, told Axios, adding, “This is a massive increase considering that demand was already healthy before the social media shutdown.”