Caution: Compromised VPNs Exploited to Distribute EyeSpy Surveillance Software

A malware campaign targeting users of the 20Speed VPN service has come to light, utilizing contaminated VPN installers to deploy a surveillance program identified as EyeSpy. This operation, flagged by Bitdefender, has reportedly been ongoing since May 2022.

The malicious software incorporates elements from SecondEye, a legitimate monitoring application, to compromise users’ privacy. As detailed in Bitdefender’s analysis, this spyware primarily affects individuals using 20Speed VPN, which is based in Iran, while also exhibiting a presence in countries such as Germany and the United States.

SecondEye is promoted as commercial monitoring software capable of functioning as either a “parental control system or an online watchdog.” According to records archived by the Internet Archive, it was available for purchase at prices ranging from $99 to $200 as of November 2021.

This spyware is equipped with a variety of functionalities, enabling it to capture screenshots, record audio, log keystrokes, extract files and saved credentials from web browsers, and exert remote control over infected machines to execute arbitrary commands.

In August 2022, SecondEye was linked to nefarious activities when Blackpoint Cyber reported its exploitation by unidentified threat actors for data and malware payload storage, although the precise method of initial access remains unclear.

Bitdefender’s Bogdan Botezatu remarked to The Hacker News that while there are similarities in the spyware components, a direct connection between the two activities has not been established, leaving the extent and methods of the campaign still under investigation.

The attack chain commences when a user inadvertently downloads a malicious executable from the 20Speed VPN website, suggesting two potential scenarios: either the servers have been compromised to facilitate this spyware or it’s a targeted ploy against users seeking VPN solutions to navigate internet restrictions in Iran.

Upon installation, the authentic VPN service starts while simultaneously executing a series of malicious activities in the background aimed at establishing persistence and downloading subsequent payloads for extracting sensitive personal information from the affected system.

“EyeSpy poses a significant threat to online privacy, capable of logging keystrokes and exfiltrating highly sensitive information such as documents, images, cryptocurrency wallets, and passwords,” said Janos Gergo Szeles, a researcher at Bitdefender. Such breaches can result in account takeovers, identity theft, and substantial financial repercussions.