A compromised VPN installer is used to deliver some of the dubbed surveillance software ice pie As part of a malware campaign launched in May 2022.
In its analysis, Bitdefender states that it “uses a component of the legitimate surveillance application SecondEye to spy on users of 20Speed VPN, an Iran-based VPN service, via a trojanized installer.” .
The majority of infections are said to have originated in Iran, but Germany and the United States have seen fewer detections, the Romanian cybersecurity firm added.
According to snapshots captured by the Internet Archive, SecondEye claims to be commercial surveillance software that acts as a “parental control system or online watchdog.” As of November 2021, it retails between $99 and $200.
It can take screenshots, record microphones, log keystrokes, collect files and saved passwords from web browsers, and remotely control machines to execute arbitrary commands. It has a wide range of functions.
SecondEye came to prominence in August 2022 when Blackpoint Cyber revealed threat actors’ use of spyware modules and infrastructure for data and payload storage.
The latest attack chain begins when an unsuspecting user downloads a malicious executable from 20Speed VPN’s website. This shows two plausible scenarios. Servers may have been compromised to host spyware, or they may be intentionally trying to spy on individuals who may download VPN apps to bypass them. Internet blackout in the country.
Once installed, the legitimate VPN service is started, a series of malicious activities covertly started in the background, persistence is established, and the next stage payload is downloaded to collect personal data from the host. will be
Bitdefender researcher Janos Gergo Szeles said, “EyeSpy has the ability to completely compromise your online privacy through keylogging and theft of sensitive information such as documents, images, cryptocurrency wallets and passwords.” It can lead to complete account takeover, identity theft, and financial loss.”
