Cybercriminals Distributes Backdoor Trojans As Bundles of VPN installers

Security researchers warn Windows users of a malicious activity that bundles backdoor Trojan within the installers of a legitimate VPN app.

VPNs(virtual private network) are a useful technology used by most of the users. As it allows users to stay anonymous and maintain their online privacy. As the continuous expanding of the cyber-crime to abuse the legitimate applications to drop the payloads of the malware. This comes as no surprise.

So, the researchers at Trend Micro stated in a blogpost of a new tactic of cyber-criminals that exploits a legitimate VPN application to bundle it with a backdoor Trojan.

The Trojan is detected as Backdoor.MSIL.BLADABINDI.THA and Trojan.MSIL.BLADABINDI.THIOABO.

Distribution tactics

According to the analysis, the Trojanized installers are distributed via fraudulent sources like compromised sites, fake download links, redirect pop-up sites asking to install the VPN and so on.

The mentioned legitimate VPN is Windscribe, which is being abused. It is worthy to inform users that the original service is nowhere associated with the crime. So, users should always install it from the Windscribe’s official download center or Google Play Store and Apple App stores.

VPN-Windscribe Bundle carrying Backdoor Trojan

VPN-Windscribe Bundle carrying Backdoor Trojan

Thus, users downloading bundled apps from malicious sources, do not exactly know they are instead downloading a Backdoor Trojan.

The Malicious Installer of BLADABINDI

The bundled installer of VPN application mainly drops three components to the target system;

  • The legitimate version of the Windscribe’s VPN installer,
  • A malicious file (named lscm.exe) containing the backdoor threat, and
  • An application that acts as an executor for the malicious file (win.vbs).

According to the Trend Micro

The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background.

Without the user’s knowledge, the file lscm.exe stealthily acts in the background by downloading its payload from a website. This website then redirects the user to another page to download an encrypted file named Dracula.jpg.

Further, the encryption layer of Dracula.jpg’s is decrypted that reveals the payloads of the backdoor Trojan.

The Capabilities of BLADABINDI Backdoor Trojan

Once successfully installed on the system, the threat can perform a number of malicious actions of the Windows OS.

The basic function of a backdoor trojan is to allow the hackers/cyber-criminals to remotely control the system and execute illicit actions;

  • Download, update and execute various malicious files;
  • Execute commands from the remote hackers;
  • Steal sensitive data like recording keystrokes;
  • Take screenshots;
  • Gather various information installed AV applications, Machine name, OS version, username, and passwords.

Bottom Line:

However, this is not a new tactic, where malicious actors masquerades legitimate software and applications to drop the payloads of the threat. People installing freeware from third-party sources instead of the official websites. To skip the load of registering themselves or any other reasons without, knowing the actual risk they carry.

These bundles most of the time contain additional programs like adware, browser hijackers or even threats like BLADABINDI Backdoor.

Thus, it is advised to use official pages/legitimate sources to download the trial version of the software.

To skip the installation of additional components use “custom” or “advanced” installation procedure.

If you have recently installed above mentioned bundle of VPN app, then you should quickly scan your system with reputable anti-malware (HitmanPro) to detect and remove malicious files and its traces.

More From Unboxhow