The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.
While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims' computers.
This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.
More to the point, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service.
Thousands of potential victims
The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.
"Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," state the Doctor Web researchers who spotted the campaign.
"Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems."
The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.
The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360 and Clipoffice.
— Ivan Korolev (@fe7ch) August 19, 2019
Arcticle: https://t.co/1ZJK5BdV4F
IOCs: https://t.co/Q9b9ECrZxu
"The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable," Doctor Web malware analyst Ivan Korolev told BleepingComputer.
He also said that the hackers are using the malware "mainly as keylogger/traffic sniffer/backdoor" after successfully infecting their victims.
The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.
Spreading malware via cloned sites
A cocktail of banking trojans and information stealers—Win32.Bolik.2 and Trojan.PWS.Stealer.26645 (Predator The Thief)—was also delivered to their targets by the same hacker group behind this malware campaign with the help of two other cloned websites in late June 2019:
• invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com)
• clipoffice[.]xyz (the original is crystaloffice[.]com)
This is not the first campaign these bad actors have used to infect their victims with malware since, as mentioned in the beginning, they also used to hack legitimate sites to hijack download links and replace them with their own malicious payloads.
Back in April, the website of the free multimedia editor VSDC was breached by the hackers, the second time in two years actually, with the download links being used to distribute the Win32.Bolik.2 banking trojan and the Trojan.PWS.Stealer (KPOT stealer) info stealer.
The users who downloaded and installed the compromised VSDC installer potentially infected their computers with the multi-component polymorphic banking Trojan, and had sensitive info stolen from browsers, their Microsoft accounts, various messenger apps, and several other programs.
Indicators of compromise of Win32.Bolik.2, Trojan.PWS.Stealer.26645 (Predator The Thief), AZORult, and BackDoor.HRDP.32 samples, as well as network indicators including command-and-control server and distribution domains, are provided by Doctor Web's researchers on GitHub.
Update August 20, 09:07 EDT: NordVPN's Head of Public Relations Laura Tyrell sent BleepingComputer the following comment:
Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.
Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.
What NordVPN won’t do:
• NordVPN only sells accounts on its official website. We only sell legitimate NordVPN accounts on our official website: https://nordvpn.com/. NordVPN can also be found in certain retailers' stores, the list is provided on the NordVPN’s website: https://nordvpn.com/retail/.
• NordVPN won't send you to the wrong website. Scammers use websites that look like NordVPN’s to scam internet users. The core part of NordVPN’s webpage URL will always be https://nordvpn.com/. The only exception to this rule will be for users buying NordVPN in high surveillance countries that block our core website. If you're not sure whether the website you're seeing is a legitimate NordVPN website, contact our support team.
• NordVPN representatives will never ask for your password. If someone posing as a NordVPN representative tries to find out your password, they are scammers. Also, be aware of fake password change emails. You should never disclose your password to anyone.
• NordVPN won't use sketchy email addresses. NordVPN official email ends with @nordvpn.com and sometimes @nordvpnmedia.com or @nordvpnbusiness.com. We do not send emails from addresses like nordvpn@gmail.com or nordvpn@nord.com. However, hackers can easily fake a legitimate email address. To avoid gettings fooled, always check whether the link in an email redirects to a legitimate NordVPN website with a URL starting with https://nordvpn.com/.
• NordVPN does not make phone calls. NordVPN’s official means of communication are email, the support chat on our website, our official Twitter (@NordVPN), or our official Facebook page: https://www.facebook.com/NordVPN/. Do not trust connections outside of these communication tools.
Comments
The_Angry_Intellect - 4 years ago
We need to step up our game in this world.
I recommend the instant death penalty for anyone who commits any crimes.
No courts, no delay, why wait? Instant death can be yours today for the low, low price of your pathetic scamming life, just break the law and it's yours.
buddy215 - 4 years ago
I wouldn't agree to that unless I was the only one to decide who committed a crime. I don't think you spent much time thinking before posting your comment.