Six VPN apps have been found to be infecting users’ systems with malware, contributing to one of the largest botnets ever dismantled.
A U.S. Department of Justice announcement earlier this week highlighted the takedown of the 911 S5 botnet, responsible for infecting over 19 million IP addresses worldwide, including 613,841 in the United States.
The botnet’s administrator, YunHe Wang, a Chinese national, was arrested on May 24, 2024. Wang and his associates had created and distributed illegitimate VPN applications since 2014, which connected to the 911 S5 service, transforming users’ devices into part of the botnet. This extensive network facilitated various criminal activities, including financial fraud, identity theft, and child exploitation.
The botnet generated nearly $99 million in illicit profits, allowing cybercriminals to access infected IP addresses for a fee. This facilitated large-scale fraud, including over 560,000 fraudulent unemployment claims and more than 47,000 Economic Injury Disaster Loan applications during the COVID-19 pandemic.
Malicious VPN applications
The VPN apps the fraudsters created specifically for the purpose of supporting their botnet malware operations were distributed as free downloads or bundled with other software and installed malware on users’ devices without their consent.
The VPN applications the authorities identified as part of this scheme include:
- MaskVPN
- DewVPN
- PaladinVPN
- ProxyGate
- ShieldVPN
- ShineVPN
These applications, once installed, made the users’ systems part of the botnet, allowing cybercriminals to use their IP addresses for illegal activities while concealing their true locations.
Detecting and removing the malware
The dismantling of the 911 S5 botnet and the arrest of its administrator significantly disrupted the botnet’s operations. However, while the botnet infrastructure has been compromised, it does not automatically deactivate all infected devices. The malicious software on affected systems could still pose risks if not removed, as the bots could be ordered to switch communications to new infrastructure set up by Wang’s co-conspirators.
If you installed any of the listed VPN applications at any point in the past, follow these steps to remove them:
Uninstall them:
- Click on the Start menu (Windows button) and type “Add or remove programs.”
- Search for the name of the malicious VPN application.
- If found, click on the application name and select “Uninstall.”
End malicious processes:
Open the Windows Task Manager by pressing Control+Alt+Delete and selecting “Task Manager,” or right-click on the Start menu and select “Task Manager.”
Under the “Process” tab, look for the following processes:
- MaskVPN (mask_svc.exe)
- DewVPN (dew_svc.exe)
- PaladinVPN (pldsvc.exe)
- ProxyGate (proxygate.exe, cloud.exe)
- ShieldVPN (shieldsvc.exe)
- ShineVPN (shsvc.exe)
If found, select the process and choose “End task.”
Run a malware scan:
There are several free AV tools that should be able to detect the mentioned threat including Bitdefender, Avast, and AVG, so running a complete system scan with one of them is recommended.
Malwarebytes has confirmed via an update yesterday that it has added detection signatures for the mentioned VPN binaries, so people can use Malwarebytes Premium (a free trial is available) to scan for remnants.
Open the application and click the Scan button on the main dashboard. Wait for the scan to complete and review the Threat scan summary. If threats are detected, manually quarantine them by selecting the detections and clicking Quarantine.
The FBI has also published detailed removal instructions on this webpage.
In conclusion, users should exercise caution when installing VPN applications, ensuring they come from reputable sources. Trustworthiness should always take precedence over cost. Due to their popularity, VPN apps are the go-to choice for cybercriminals looking to establish an effective malware distribution mechanism. (1, 2, 3, 4)