CRIL identifies counterfeit LetsVPN phishing sites that deliver multiple malware payloads, including BlackMoon (KRBanker), Backdoor.Farfli, and KingSoft PUA, by impersonating the legitimate LetsVPN site. The campaign uses these fake VPN platforms to lure LetsVPN users into downloading malicious payloads via fake domains and download links. #LetsVPN #BlackMoon
Keypoints
- CRIL uncovered numerous counterfeit LetsVPN websites designed to distribute malware rather than provide legitimate VPN services.
- Phishing sites closely imitate the genuine LetsVPN site to entice users to download malicious payloads.
- Payloads identified include BlackMoon (KRBanker), Backdoor.Farfli, and KingSoft (PUA), delivered via deceptive download links.
- BlackMoon offers keylogging, web injection, remote access, and account hijacking capabilities.
- Backdoor.Farfli provides unauthorized access, remote control, and data exfiltration with C2 communication.
- KingSoft PUA is distributed as a potentially unwanted application with intrusive ads, browser changes, and data collection.
- Recommendations emphasize phishing awareness, MFA, software updates, cautious clicking, and network/ DLP measures.
MITRE Techniques
- [T1566] Phishing – The threat actors use fake LetsVPN phishing sites to lure users into downloading malware payloads. Quote: “Multiple phishing sites mimicking the legitimate LetsVPN website have been identified. These fraudulent sites are designed to deceive victims by appearing genuine and enticing them to download malware payloads.”
- [T1204] User Execution – Victims are enticed to download malware payloads from the phishing sites. Quote: “These fraudulent sites are designed to deceive victims by appearing genuine and enticing them to download malware payloads.”
- [T1056.001] Keylogging – The malware captures keystrokes, including usernames and passwords, and transmits them to C2. Quote: “The malware captures keystrokes that the victim enters, including usernames, passwords, and other sensitive information.”
- [T1056.003] Web Injection – The malware can modify browser content to manipulate banking-related webpages. Quote: “Web Injection: BlackMoon can modify the content displayed by a victim’s web browser, allowing it to manipulate webpages related to online banking.”
- [T1021] Remote Services – The trojan provides remote access to the threat actor, enabling control of the infected system. Quote: “The trojan provides remote access to the TA, allowing them to control the infected system, exfiltrate data, or perform other malicious activities.”
- [T1555.003] Credentials from Web Browsers – The campaign targets online banking credentials and account access. Quote: “Account Hijacking: BlackMoon may attempt to take control of the victim’s online banking account, allowing the TA to initiate fraudulent transactions or gain unauthorized access to sensitive financial information.”
Indicators of Compromise
- [Domain] Phishing/mandarin domains – letsvpn.club, letsvpn.cyou
- [Domain] Additional phishing domains – latavpn.world, letevpn.world
- [File name] Payload downloads – kuaiVPN.rar, kuailian.zip
- [File hash] MD5 – 34028e2d59d73ba916600cecd5334c4b, 4de841949ede68d74507f545ea3e04c6
- [File hash] SHA1 – 4e6575aefaaec7386a2b49201d065bf570ef920b, d6cfeedb11025b1ae0f479f33fb60cc764661927
- [File hash] SHA256 – decc5c92b09bb6ef97ad68caf0ec802c530aa8974cd6a90ab313c8a309bf27f3, 90701156e937348a1f3d2ad50f0f38b4071acaaa38f4d58a91889153317443c2
- [Domain] KingSoft/PUA domain – lestvpn.com
Read more: https://blog.cyble.com/2023/06/16/new-malware-campaign-targets-letsvpn-users/