|
The more dangerous browsing the Internet becomes, the more tools to address cyber threats emerge in the market. Virtual private network (VPN) service usage, for instance, gained ubiquity due to the ever-increasing number of data privacy intrusions. So what happens when you download a supposed VPN software installer but end up with a malware infection instead?
Trend Micro’s in-depth OpcJacker investigation may tell you. The malware comes in the guise of a VPN software installer. When installed, it logs user keystrokes, takes screenshots, steals sensitive browser data, loads additional malicious modules, and replaces cryptocurrency wallet IDs for hijacking purposes.
Security researchers Jaromir Horejsi and Joseph C. Chen identified 33 OpcJacker indicators of compromise (IoCs)—30 domains and three IP addresses, namely:
DOMAINS | IP ADDRESSES |
---|---|
• alle13net1[.]com • alle13net2[.]com • comes1[.]com • comes2[.]com • gattri1[.]com • gattri2[.]com • installer-xvpn-g[.]site • installer-xvpn-h[.]site • installer-xvpn-k[.]site • installer-xvpn-n[.]site • irbxvpn[.]site • irexvpn[.]site • irfxvpn[.]site • irhxvpn[.]site • irixvpn[.]site • irkxvpn[.]site • irqxvpn[.]site • irtxvpn[.]site • iruxvpn[.]site • irwxvpn[.]site • manigiajabae32[.]com • manigiajabae35[.]com • neskrab1[.]com • neskrab2[.]com • nesupcli[.]com • she32rn1[.]com • she32rn2[.]com • uhcoxvpn[.]site • uzurtela1[.]com • uzurtela42[.]com | • 185[.]163[.]45[.]36 • 94[.]158[.]244[.]118 • 206[.]188[.]197[.]199 |
The WhoisXML API research team expanded the list of IoCs to determine other potential fake VPN threat vectors. Our closer look at the DNS uncovered:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our in-depth study with a bulk WHOIS lookup for the 30 domains identified as IoCs. Twenty-six of the domains’ registrars were publicly visible. They were spread across three registrars—15 with PDR Ltd., 10 with NiceNIC International Group Co. Limited, and one with Key-Systems GmbH.
All 30 domains were newly registered, specifically just this February. They were also registered in a single country—Russia.
A bulk IP geolocation lookup, meanwhile, for the three IP addresses showed they were geolocated in three distinct countries—Moldova, the U.S., and the Netherlands. Two of them were managed by MivoCloud SRL while the remaining was under BL Networks.
To find all other potentially connected artifacts, we subjected the domains identified as IoCs to DNS lookups. That led to the discovery of seven additional IP addresses spread across five countries. Three were geolocated in the U.S. and one each in Germany, the Netherlands, Russia, and the U.K.
The IP addresses were distributed among six ISPs led by DARL-TELECOM, which accounted for two of the hosts. The remaining five IP addresses were managed by Hosting Technology Ltd., TimeWeb Ltd., BL Networks GB, Hostinger US, and Hetzner Online GmbH.
Next, reverse IP lookups for the 10 IP addresses—three identified as IoCs and seven additional hosts—allowed us to uncover 441 domains, 10 of which turned out to be malicious.
Screenshot lookups for the malicious pages showed that five remained accessible. What was, however, more interesting was that they had the same content, a supposed VPN software download page.
Due to the threat actors’ use of fake VPN software, we also scoured the DNS for domains that contained the string vpn, which could be utilized maliciously for attacks similar to the OpcJacker campaign. Domains & Subdomains Discovery gave us 10,000 domain names, 12 of which turned out to be malicious. Specifically, nine of them were malware hosts while the remaining three were involved in spamming.
A majority of the malicious domains (10 to be exact) were unreachable as of this writing. The other two, which remained accessible, meanwhile, led to warning pages.
Next, we obtained a list of VPN service providers from this page. A bulk WHOIS lookup for their official domains showed that only 10 had publicly viewable registrant organizations. Comparing them with the registrant organizations of the vpn-containing domains revealed that only one—vpn[.]ac—could be publicly attributed to the legitimate VPN service providers on our list. It is, in fact, Romania-based VPN service provider VPN.ac’s official site address. The remaining 9,999 string-connected domains could serve as hosts to fake VPN software installer pages.
Our IoC list expansion analysis led to the discovery of 10 fake VPN download pages that could be part of the OpcJacker infrastructure since they shared some of the IoCs’ IP hosts. It also uncovered 12 other domains that contained the string vpn, which may have already figured in similar malicious campaigns.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byRadix
Sponsored byCSC
Sponsored byDNIB.com
Sponsored byIPv4.Global
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign