Iranian Spyware Steals People's Info Via VPN

Private cybersecurity company Bitdefender has revealed information about an Iranian spyware that steals people's sensitive information through a VPN software.

The Romanian firm published reported on efforts by the Iranian regime to phish information about people who use virtual private networks – or VPNs -- to circumvent severe restrictions the government put on internet access.

Iran has been filtering Internet content for more than two decades but in the past four months amid antigovernment protests the government has regularly shut off access and blocked popular applications such as Instagram and WhatsApp. 

While most of the people around the world take access to Internet for granted, users in Iran have to try out dozens of apps and VPNs before they find a way to bypass ISP restrictions. And, while some VPNs are fake or blocked, there are some others that are deliberately laced with malware, such as the 20Speed VPN. This spyware enters the victim's computer as the user installs the filter-breaking file. 

Since 2020, when people have started to work remotely from home, a problem has come up for businesses to monitor the activities and productivity of their employees. The solution comes in the form of monitoring software. One of the companies that offers such services is SecondEye with numerous capabilities that are not limited to screen recording, logging keystrokes, and live screen viewing. The monitoring application was developed in Iran and distributed legitimately via the developer’s website.

Earlier in the year, Blackpoint Cyber, specialized in stopping cyberthreats, identified and responded to two identical suspicious File Transfer Protocol (FTP) events connected to a server in Iran within a two-month span. This server was determined to belong to SecondEye.

Researchers at Bitdefender, as well as at Blackpoint, discovered a malware campaign that uses components of SecondEye suite and their infrastructure -- a legitimate monitoring application -- to spy on users of Iranian-based VPN service 20Speed but through Trojan-like installers of the VPN software that installed the spyware components along with the VPN product. The software, as well as another of the products EyeSpy, has the ability to fully compromise online privacy via keylogging and stealing of sensitive information, such as documents, images, crypto-wallets, and passwords.

Screengrab from the main page of the 20Speed VPN, a spyware guised as a normal VPN that enters the victim's computer and steals its sensitive information
Screengrab from the main page of the 20Speed VPN, a spyware guised as a normal VPN that enters the victim's computer and steals its sensitive information

The campaign started in May 2022, but detections peaked in August and September, as Iranians were rushing to use VPNs to get past the government’s restrictions. Most of the new detections originate from Iran, with a small pool of victims in Germany and the US.

The website of 20Speed is one of the most popular websites from which Iranians purchase their VPN subscriptions. The website has been active among Iranian users for about seven years. But if its VPN is laced with malware and collects personal information, the company cannot safeguard it from Iran’s intelligence services that can simply demand and receive access.

According to the data by the US company Similarweb -- which reviews and analyzes the statistics of the world's websites and provides behind-the-scenes analytics for every site online -- the main website of 20Speed had about one million visits during the three months ending in December 2022, most of them from Iran. Moreover, the Android version of this VPN, which is also available in the Google Play Store, has more than 100,000 active installations.

Earlier in January, the Islamic Republic decided to act against those selling VPNs and circumvention software to people, as a measure to further restrict access to the Internet. The Judiciary department in collaboration with the ministry of communications will take legal action against "unauthorized sellers of the VPNs and circumvention tools," local media reported. This is a measure to clamp down in real VPNs versus software that the government can have control over.

Almost all companies that sell VPN services inside Iran are affiliated with the government or state organizations. Most of these companies have increased their fees drastically during the past three months that Iranians have rushed to buy them to access the Internet. Many Iranians are unable to pay the higher prices for VPNs as the cost of food and other necessities have skyrocketed.

In the long run, if this trend continues, it is possible that people from the lower income will gradually lose their access to the global Internet, similar to what has taken place in China and these days in Russia. The security of such services is another problem as the Islamic Republic can easily acquire any data accessed by the users via VPNs.

Amid heightened restrictions on Internet access, Iranians’ use of VPNs rose over 3,000 percent in September, when Mahsa Amini was killed.

"Daily demand for VPN services in Iran is up over 3,000% compared to before the protests," Simon Migliano, the head of research at Top10VPN, told Axios, adding that "This is a massive spike, given that demand was already healthy before the social media shutdown."