Windows backdoor masquerading as VPN app installer

[silversurfer]

Content source

https://www.helpnetsecurity.com/2020/09/22/windows-backdoor-vpn/

Windows users looking to install a VPN app are in danger of downloading one that’s been bundled with a backdoor, Trend Micro researchers warn.

The trojanized package in this specific case is the Windows installer for Windscribe VPN, and contains the Bladabindi backdoor, which is able to:

• Execute commands from a remote malicious user (e.g., downloading, executing, and updating files)
• Log a user’s keystrokes
• Take screenshots of the user’s screen
• Collect information about the computer (OS, username, machine name), the running AV product(s), and passwords stored in browsers

The trojanized installer is offered on third-party download sites and users who download and run it are unlikely to notice that something is wrong with it.

“The bundled application drops three components to the user’s system: the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves as the runner of the malicious file (win.vbs). The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the background,” the researchers explained.

 

[upnorth]

“Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats,”

 

[FireHammer]

Hey, what to do if I have had Windscribe on my system, but do not anymore, how do I proceed.

 

[FireHammer]

Reading into story more it says: " It is important to point out that the installers examined in this report come from fraudulent sources and are not from Windscribe’s official download center or app stores for Google and Apple."
I was worried some. Hope this is true.

Thanks, I certainly hope that too.