Vidar and CryptBot Trojans Spead Via Fake VPN Site

A fake VPN called Inter VPN website is found to have been distributing the Vidar and CryptBot password-stealing Trojans and steal the login credentials that are saved in the browser cache but can also tap into other parts of the system too.

Claiming to be the fastest VPN solution, protecting your privacy and anonymity online the fake VPN site uses an image from a legitimate VPN product (VPN Pro), to convince the victim to download and install it.

If the website visitor downloads the program, they’ll get a repackaged VPN Pro that is infected with a payload downloader. The “AutoHotKey” script connects to “iplogger.org” and downloads either the Vidar or the CryptBot executables from “bitbucket.org”. The choice between the two is up to the actor and the campaign that is running at the time of the infection. Once downloaded, the Trojans will begin looking in the saved browser credentials and the cookies. Besides these, they also look into text files, cryptocurrency wallets, and even take screenshots to hopefully grab the username or password, or both.

All of this nasty stuff is taking place in the background, so the victim is unlikely to realize anything. VPN Pro works as expected, and since it’s free, there is nothing to compel the user to replace it after the trial period ends, etc. That said, victims could be using “Inter VPN” for long, losing all their sensitive information to the malicious actors after allowing them multiple opportunities to grab it. These products are mainly promoted via forums and social media posts and attempt to persuade people to give them a try through fake reviews and various bold claims about their awesomeness.