First of all, just to make sure ppl know, a VPN service using
nssm is not suspicious at all. VPNs often have to run other services in the background and
nssm lets them do that. That said, there are plenty of other clues that this is malicious, but
nssm is not one of them.
The actual download link is hosted on
turninted-suradios.icu, which was registered by
Key-Systems LLC and they used
whoisproxy.com. The application itself also references
app-update.yml, which is also hosted by
NameCheap but they used a different whois proxy,
I’m working on compiling a report on this that I can send to
whoisproxy.com. Did you send any reports yet?
As for evidence, I have so far that it:
- Implements anti-virtualization techniques (these are specific to VirtualBox, I’m not going to explain them in detail here)
- Uses some almost certainly evil Windows API calls
- I’m not entirely sure about this one, but they appear to be using a patched version of OpenVPN (they also use OpenVPN but I can’t find a
*.ovpn file, which is weird)
Not evidence, but definitely suspicious:
- Sketchy website
Hopefully this is enough to convince
Cloudflare et al. If you have any other evidence it would be great if you could post it here (don’t go into too much detail ofc).