The curious case of ZionVPN

Posted on by


I was late night scrolling Reddit when I suddenly got a weird ad for a service called ZionVPN. Clicking on it, I was met with a polished website offering a free VPN service that had this logo:

Being an Israeli, I found the caption incredibly odd. For those of us who can’t read Hebrew, the subtitle states “First Greater Israel, then the world”. The yellow ribbon over the O is the hostage symbol meant to commemorate the Israeli Hostages who were abducted in October 7.

I clicked around a bit on the site, noted that both the terms of service and privacy policy redirect nowhere.

All of this seemed incredibly odd to me. So I decided to dig a bit further. Looking at the source code for the main page, I saw several points of interest;

First of all, the page title: “ZionVPN – BROADBAND to the HOLY LAND”, If I ever needed proof this website was vibe coded, this was it.

Additionally, the address listed is “Frishman St 55, 64383 Tel Aviv-Yafo”
A quick Google search reveals this address to be a house.

Comments in German

A quick Google Translate reveals the sentence above to be “CORRECTED SECTION: Server data with correct flag emojis”.

A confirmation message for those who submit their email.

I decided to submit a dummy email. Doing so triggered an AJAX request to a PHP backend, and immediately redirected me to download.html. At this point I wanted to check if there was anything barring me from going to that page directly. Sure enough, there was no such barrier.

The download page presents you with two options:

Let’s examine the EXE.

150Kb in size, the EXE called ZionVPNx64 signed by an unverified certificate authority called “Codegic CA G2”, no wonder they say that “Windows may show certificate warnings”. The certificate itself has the following subject:

C = DE
O = ZionVPN
CN = ZionVPN
E = schalom@zionvpn.com
Enter fullscreen mode

Exit fullscreen mode

Okay, so we get another clue that our mystery developer may be situated in Germany. Another thing that raises red flags for me is the email. The spelling Schalom is very atypical and rare, the way we’d normally spell the name is Shalom.

Diving a bit into the file metadata, we get this:

Okay, so now we have two names to work with.
The first, Magnus Hirschfeld Institute. The first link that I found was the Institut für Sexualwissenschaft. This didn’t seem right though, further digging led me to the Federal Foundation Magnus Hirschfeld, Igy and some other institutions. I think it’s fair to say none of these organizations have anything to do with this VPN service.

The second is Kosher Solutions LLC. Several companies bear this name, none have anything to do with VPNs, another troll.

I then took it to VirusTotal, full scan available here.

Here we can see both Google and Ikarus detected it as a virus.

So what did it do?
Looking at the analysis, we can see it tried to contact a domain called westcnds.asia

The domain, as of the time of writing, has 12 malware detections on VirusTotal which is flagged as Botnet C2 (Command & Control) and information stealer, the domain itself is registered in Malaysia.



In conclusion

This seemingly vibe-coded VPN site appears to be a slick facade for a data harvesting / botnet operation, stay away.



Source link