Criminals are distributing fake VPN installers with backdoors built in

News
By published

Another reason to always download VPN clients directly from a provider's website

Someone using a VPN on a PC.
Image credit: Shutterstock (Image credit: Shutterstock)

The recent shift to remote working has led users to turn to VPN services to stay secure and protect their privacy online but new research from Trend Micro has revealed that cybercriminals are now distributing fake VPN installers with backdoors.

The firm's researchers discovered VPN installers for Windscribe being distributed online that also included backdoors which allow cybercriminals to gain access and control of computers remotely without the need for proper authentication.

It's worth noting that the installers found by Trend Micro come from fraudulent sources and are not from Windscribe's official download center or from the Google Play Store or Apple App Store. Cybercriminals have used this same technique in the past to bundle legitimate video conferencing apps with malicious files.

By using a VPN, users can secure the communication between their computers and the internet by encrypting the connection which keeps data secure and prevents spying attempts. However, as businesses and consumers alike have started using VPN services while working from home, cybercriminals have seized this opportunity to use them to distribute malware and other malicious files.

Bundling malicious files with VPN installers

Users who fall victim to this latest campaign likely get their VPN installer from malicious sources and are unaware they are downloading a bundled application instead of the legitimate installer by itself. 

According to a new report from Trend Micro, the bundled application drops three components on a user's system: the legitimate VPN installer, the malicious file (named Iscm.exe) that contains the backdoor and the application that serves as the runner of the malicious file (win.vbs).

During installation, the file Iscm.exe stealthily acts in the background by downloading its payload from a website controlled by cybercriminals. This website then redirects the user to another page to download an encrypted file named Dracula.jpg. This obfuscated file needs to be decrypted before revealing the backdoor payload.

The backdoor itself can perform a number of commands such as downloading, executing and updating files as well as taking screenshots of the user's screen. Additionally, it gathers information about a user's system including if they have any antivirus products installed, the machine name, the operating system and their username.

To prevent falling victim to this new campaign, Trend Micro recommends that users only download applications and files from official download centers and app stores, scrutinize URLs to distinguish between spoofed domains and legitimate ones, don't download apps and files from emails sent by untrusted sources and that they do not click on any links in suspicious emails.

  • Also check out our complete list of the best VPN services
Anthony Spadafora
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in VPN
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
A hand holds a smartphone displaying the NordVPN logo
NordVPN Prime hits lowest-ever price in VPN Spring sale
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
ExpressVPN mobile app and Aircove
ExpressVPN ‘reduces workforce’ for the second time in two years
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
More about vpn
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background

A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
Hatch Restore 3 in Putty

You can finally start your day with The Office theme song, and I couldn't be more excited
See more latest
Most Popular
Hatch Restore 3 in Putty
You can finally start your day with The Office theme song, and I couldn't be more excited
Dell Pro Max with GB300
HP and Dell's latest Nvidia powered PCs are likely to be some of the most expensive workstations ever launched
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn