This VPN is being abused to spread malware

News
By published

Ivacy VPN's certificate is being used to distribute malware

Petya nagscreen
(Image credit: Wikipedia)

Cybersecurity researchers from SentinelLabs have recently spotted a hacking campaign in which legitimate certificates used by a VPN service were abused to hide malware in plain sight.

The researchers pinned the campaign to Bronze Starlight, a Chinese state-sponsored APT, which was after companies in the gambling industry, located in the Southeast Asia region. 

As per their report, the group was distributing two .NET executables - agentupdate_plugins.exe and AdventureQuest.exe, most likely through trojanized chat apps. The goal of the campaign, according to the researchers, is to deliver a Cobalt Strike beacon. 

Reader Offer: $50 Amazon gift card with demo

Reader Offer: $50 Amazon gift card with demo
Save 250+ yearly hours on manual configuration. Deploy your entire organization within a single day. Learn why Perimeter 81 is TechRadar's choice for the best Business VPN. Ditch legacy hardware and make the move to the cloud. See how simple it is for yourself.

 Preferred partner (What does this mean?

Hiding in plain sight

Cobalt Strike is a commercial penetration testing tool, used by both security professionals and cybercriminals. Legitimate use cases include testing the security of networks and systems. 

The code-signing certificate for the .NET executables was the same one that’s used by the installer for Ivacy VPN, a popular virtual private network solution.

Read more

> Are VPNs really safe? How to check your service's security

> More malware is being hidden in PNG images, so watch out

> Check out the best malware removal right now

By using a legitimate certificate, the attackers can bypass cybersecurity solutions installed on the target endpoint, and also make sure that any inbound and outbound traffic generated by the malware remains hidden. 

The researchers also discovered that the two .NET executables were designed not to work in certain countries, including the United States, Germany, France, Russia, India, Canada, or the UK, most likely to further evade detection. But the geofencing feature wasn’t implemented properly, they added.

"It is likely that at some point the PMG PTE LTD signing key has been stolen – a familiar technique of known Chinese threat actors to enable malware signing," SentinelLabs said. "VPN providers are critical targets since they enable threat actors to potentially gain access to sensitive user data and communications."

Ivacy VPN is currently silent on the matter, so it’s difficult to determine exactly how the hackers obtained the certificates. They have, since then, been invalidated for breaching “baseline requirements” set up by DigiCert.

Via: BleepingComputer

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Computer Hacked, System Error, Virus, Cyber attack, Malware Concept. Danger Symbol
China-linked cyberespionage group PlushDaemon used South Korean VPN service to inject malware
malware
Google warns of legit VPN apps being used to infect devices with malware
vpn
Ivanti warns another critical security flaw is being attacked
A computer being guarded by cybersecurity.
Huge cyberattack found hitting vulnerable Microsoft-signed legacy drivers to get past security
Trojan
Hackers hide malware into website images to go unnoticed
A digital representation of a lock
Security experts are being targeted with fake malware discoveries
Latest in VPN Privacy & Security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address
What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background
How to check if your VPN is working
Teenager playing on a gaming PC with two monitors
Is using a VPN while gaming cheating? 5 myths you shouldn't believe about gaming with a VPN
Neon blue email symbols on a black background
Why am I suddenly getting so many spam emails?
A computer file surrounded by red laser beams
Cover your tracks: the risk of sending unencrypted files
Using an Amazon Fire Stick on a Smart TV
How to use a VPN with Fire Stick
Latest in News
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
Quordle on a smartphone held in a hand
Quordle hints and answers for Sunday, March 23 (game #1154)
More about vpn privacy security
Digital hand set location on map with two pins. AI technology in GPs, innovation delivery, map location, future transport logistic, route path concept. GPs point. New office location, change address

What does your IP address reveal about you?
A stethoscope next to a laptop on a pink background

How to check if your VPN is working
Compal Infinite Laptop

This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
See more latest
Most Popular
Compal Infinite Laptop
This laptop has a horizontal rollable display that extends to 18 inches, and I can't wait to try it
Silicon Motion MonTian 128TB SSD
More 128TB SSDs on the way, but they won't be cheaper: Key maker of NAND flash controllers says 128TB SSDs are shipping
Toshiba HDD Innovation Lab
How to make hard drives faster? Simple, just bunch dozens of them together, Toshiba says
Asus Ascent GX10
Asus debuts its own mini AI supercomputer: Ascent GX10 costs $2999 and comes with Nvidia's GB10 Grace Blackwell Superchip
Ray-Ban Meta Smart Glasses
Samsung's rumored smart specs may be launching before the end of 2025
Quordle on a smartphone held in a hand
Quordle hints and answers for Monday, March 24 (game #1155)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Monday, March 24 (game #652)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Monday, March 24 (game #386)
Apple iPhone 16 Review
The latest iPhone 18 leak hints at a major chipset upgrade for all four models
Micron SOCAMM memory module
World's biggest RAM vendors develop superior memory form factor exclusively for Nvidia, sorry Intel and AMD