A recent cybersecurity threat has emerged involving a counterfeit installer for LetsVPN, a widely used VPN service in China. This deceptive installer not only installs the legitimate VPN software but also clandestinely deploys a remote access trojan (RAT) known as GoodPersonRAT, granting attackers full control over the compromised system.
The malicious installer, named Kuailianwin-setup.86.msi, contains three components: the genuine LetsVPN installer, a loader, and encrypted shellcode. Upon execution, the loader decrypts and executes the shellcode directly in memory, thereby avoiding detection by traditional antivirus tools. This process results in the installation of GoodPersonRAT without leaving traces on the disk.
Once active, GoodPersonRAT establishes a persistent connection to command-and-control servers, enabling attackers to execute a range of malicious activities. These include logging keystrokes, capturing screenshots, transferring files, executing commands, and rerouting internet traffic through a proxy. Notably, the malware targets messaging applications like Telegram Desktop by copying session data and redirecting traffic, potentially compromising user communications.
This incident underscores a growing trend where cybercriminals exploit trusted software installers to distribute malware. Similar tactics have been observed with other applications, such as fake installers for FileZilla and Google Chrome, which have been used to deploy various RATs. These methods rely on social engineering to deceive users into executing malicious software, highlighting the importance of downloading applications exclusively from official sources.
To mitigate such threats, users should exercise caution when downloading software, ensuring they obtain it from verified and official channels. Additionally, maintaining up-to-date antivirus software and being vigilant about unexpected system behaviors can help detect and prevent infections. Organizations should also educate employees about the risks associated with downloading software from untrusted sources and implement security measures to monitor and block malicious activities.
The emergence of GoodPersonRAT through a fake LetsVPN installer highlights the evolving tactics of cybercriminals who exploit trusted software to infiltrate systems. This incident serves as a reminder of the critical need for vigilance and adherence to cybersecurity best practices to protect against such sophisticated threats.