Attackers have utilised tainted VPN installers to spread a surveillanceware called EyeSpy. Researchers noted that this recent attack is part of a malware operation that started in May last year.
Based on reports, EyeSpy surveillanceware uses the components of a legitimate monitoring tool called, SecondEye, to spy on users of 20Speed VPN. Currently, most recorded infections came from Iran, with smaller samples from Germany and the United States.
According to researchers, SecondEye claims to be a commercial monitoring tool that could work as an online watchdog or a parental control system. Its devs allegedly sell this software for about $99 to $200.
The software has various features that enable users to take screenshots, record audio, record keystrokes, collect files, and harvest passwords from web servers. Additionally, the tool could allow a user to control an infected device to execute arbitrary commands remotely.
The EyeSpy surveillanceware tool “SecondEye” was used by a threat actor through unknown initial access.
A separate researcher revealed that unidentified threat actors executed the EyeSpy infrastructure and modules through an unknown initial access mechanism during an attack.
However, the researcher claimed it could not be one of EyeSpy’s campaigns since there is no evidence to connect the sets of activities to a single campaign. The attack will begin when a skeptic user downloads a malicious executable from 20Speed VPN’s site.
The researchers are looking at two separate scenarios. The first possible action is that the actors breached the vendor’s server to host the spyware, and the other is an attempt to spy on users who might download the applications.
Once a user installs and launches the legitimate VPN service, EyeSpy will execute several malicious activities in the background to establish persistence on the device and download additional payloads to harvest data from the host.
Researchers warned users that EyeSpy surveillanceware could fully compromise online privacy through recorded key logs and stealing critical information, such as images, crypto wallets, passwords, and documents. This tool could enable actors to execute account takeover, financial loss, and identity theft campaigns.
