Cybercriminals Distribute Backdoor With VPN Installer
By Raphael Centeno ( words)
Published: 2020-09-21 · Archived: 2026-04-05 23:19:12 UTC
As with any popular technology, Virtual Private Networks (VPNs) are also used by cybercriminals as bait for spreading
threats. In this entry, we share how threat actors are bundling Windscribe VPN installers with backdoors. Backdoors allow
cybercriminals to gain access and control of computers remotely without the need for proper authentication. The specific
backdoor here is detected by Trend Micro as Backdoor.MSIL.BLADABINDI.THA, while the associated malicious files are
detected by Trend Micro as Trojan.MSIL.BLADABINDI.THIOABO.
It is important to point out that the installers examined in this report come from fraudulent sources and are not from
Windscribe’s official download centeropen on a new tab or app stores for Googleopen on a new tab and Appleopen on a new
tab. Notably, cybercriminals have previously used the technique of bundling legitimate installers with malicious files for
luring users on other platforms such as video conferencing apps.
The use of a VPN secures the communication between a user’s computer and the internet by encrypting the connection, thus
keeping data secure from spying attempts. VPNs have always been useful but are now relied on more than ever as many
companies remain in work-from-homeworking-from-home-here-s-what-you-need-for-a-secure-setup (WFH), away from the
presumably more secure office network environment.
Analyzing the malicious files bundled with the installer
To begin with, a user likely gets the file from malicious sources, not knowing that they are downloading a bundled
application instead of the legitimate installer alone. The bundled application drops three components to the user’s system:
the legitimate VPN installer, the malicious file (named lscm.exe) that contains the backdoor, and the application that serves
as the runner of the malicious file (win.vbs).
Figure 1. Contents of the bundled application
Figure 2. Code content of win.vbs file showing its function of running the malicious file
The user sees an installation window on their screen, which possibly masks the malicious activity that occurs in the
background.
https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
Page 1 of 4

Figure 3. Installation Window of Windscribe VPN
Without the user’s knowledge, the file lscm.exe stealthily acts in the background by downloading its payload from a
website. This website then redirects the user to another page to download an encrypted file named Dracula.jpg.
Figure 4. Code snippet of lscm.exe showing the website it downloads its payload from
This file, which is obfuscated, has a decryption routine for the first layer stating that all “DTA” should be replaced by “14”
and then that the file should be string-reversed. Afterward, it also states that the hex value should be converted to a string.
The value will then become an encoded base64 file.
Figure 5. Code snippet showing decryption routine
Decrypting Dracula.jpg’s layers of encryption reveals the backdoor payload.
Figure 6. Encrypted Dracula.jpg file
https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
Page 2 of 4

Figure 7. Encrypted Code Windscribe
Figure 8. Decrypted file
The backdoor can also perform some commands like downloading, executing, and updating files, as well as taking
screenshots of the user’s screen.
Besides these, the malware gathers the following information:
 Antivirus products
 Machine name
 Operating system
 Username
Conclusion
Enterprises and individual users alike employ VPNs to bolster their system’s protection. However, inadvertently
downloading an installer bundled with malicious files does the exact opposite of this as it exposes systems to threats.
Therefore, everyone should be reminded that the download of any application must only be coursed through legitimate
avenues such as the app’s official download centers and other legitimate app marketplaces.
Today, many companies still use VPNs for their WFH setups. Although the home is a place for relaxation, users should
never let their guard down when it comes to the security of their devices. Rather, it is best for users to stay vigilant in taking
steps to protect their data.
Recommendations
As prevention is better than cure, the best method to avoid malicious files is to be careful not to download them from their
sources. For this, the following measures are recommended:
Download applications and files only from official download centers and app stores. When in doubt about the
download source, it is best to consult with the IT team of one’s company.
Scrutinize URLs to distinguish between spoofed domains of download centers (or app stores) and the legitimate ones.
Keep in mind that misspelled domain names are red flags.
Never download apps and other files from emails sent by untrusted sources.
Do not select any links from suspicious emails. Instead, hover over a link to get a preview of the URL where the
embedded link is supposed to lead to.
Lastly, we recommend Trend Micro™ WiFi Protectionproducts, which ensures secure internet connection both at home and
in public places. It also filters and blocks malicious websites, online fraud, and internet scams.
Indicators of Compromise
URLs
gamezer1hack[.]sytes[.]net:19811
hxxps://onedrive[.]live[.]com/download?
cid=9B6546ADF0F7911A&resid=9B6546ADF0F7911A!1195&authkey=ABFIpKKz4bOcT1I
hxxps://yu0aoq[.]db[.]files[.]1drv[.]com/y4mr4XEohBDL_98XqXLIKJPqiyqV1rhPymTxyJlXe0jmdlUfwDD0zTGUJtmAqyLRdtTJXAYycbv00q
gSTmO3mIT5jCGKwfPRsMgFOcCjm8P9cugtlz0psvZQgiW13JPS_JSu3Wc8nVE0qT8qYTpNjQfCHLwTmNk6fh5zaCvDF0gpJkdKuvrMJ0TsA
download&psid=1
Tags
https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
Page 3 of 4

Source: https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
Page 4 of 4