Popup - EasyAsVPN: High Performance, Anonymous & 100% Free VPN Service

A WhoIs lookup reveals the domain was registered via NameCheap on April 3, 2019 (updated March 16, 2021) - Whois easyasvpn.com

VirusTotal - VirusTotal

Program contains the Tool.Nssm.5 riskware, which allows executables to run as services on Windows operating systems. While used by legitimate software, it is also used for malicious purposes such as crypto-mining.

1 Like

First of all, just to make sure ppl know, a VPN service using nssm is not suspicious at all. VPNs often have to run other services in the background and nssm lets them do that. That said, there are plenty of other clues that this is malicious, but nssm is not one of them.

The actual download link is hosted on turninted-suradios.icu, which was registered by Key-Systems LLC and they used whoisproxy.com. The application itself also references monetizemyapp.net inside app-update.yml, which is also hosted by NameCheap but they used a different whois proxy, WithheldForPrivacy.

Both easyasvpn.com and turninted-suradios.icu use Cloudflare.

I’m working on compiling a report on this that I can send to Cloudflare, NameCheap, Key-Systems, WithheldForPrivacy, and whoisproxy.com. Did you send any reports yet?

As for evidence, I have so far that it:

  • Implements anti-virtualization techniques (these are specific to VirtualBox, I’m not going to explain them in detail here)
  • Uses some almost certainly evil Windows API calls
  • I’m not entirely sure about this one, but they appear to be using a patched version of OpenVPN (they also use OpenVPN but I can’t find a *.ovpn file, which is weird)

Not evidence, but definitely suspicious:

  • Aggresively obfuscated JavaScript (I haven’t reversed it yet)
  • Sketchy website

Hopefully this is enough to convince Cloudflare et al. If you have any other evidence it would be great if you could post it here (don’t go into too much detail ofc).


1 Like

UPDATE: I’ve reported them to all the parties I mentioned above, and gave them detailed information on the points I already outlined and a few other indicators that I just found. Hopefully this gets taken down soon, and thanks so much for posting this :)

1 Like