Hackers Use Fake NordVPN Website to Deliver Banking Trojan

VPN applications

The Win32.Bolik.2 Banking Trojan has now changed their strategies by attackers that earlier violated and abused the website of the free media editor VSDC.

Although they have earlier hacked lawful websites to hijack malware-infected connections, hackers are now developing clones to supply Banking Trojans on suspicious victims ‘ pcs.

Instead of spending time attempting to infiltrate the servers and websites of legitimate companies, they can concentrate on incorporating capacities in their malicious instruments.

Moreover, the bank Win32.Bolik.2 banking Trojan is actively distributed via a website north-vpn[.]club, an near-perfect clone of the official Northvpn.com site used by the popular NordVPN VPN service.Fake NordVPN website

Cloned NordVPN website

There is also a valid SSL certificate issued by the open certificate authority Let’s Encrypt on August 3 and expires on November 1.

“Trojan Win332.Bolik.2 is an enhanced version of Win32.Bolik.1, with multi-component polymorphic file virus,” the web scientists who spotted the campaign said.

“Hackers can use this malware to conduct Web injections, interception of traffic, keylogging and theft data from various bank customer systems.”

The operators behind this malicious campaign began their assaults on 8 August, focused on English speaking goals, and thousands have visited, according to the scientists, the North Vpn website[.]club to look for a download link for the NordVPN customer.

“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” Doctor Web malware analyst  Ivan Korolev told.

He said the hackers use malware “primarily as a keylogger / traffic sniffer / backdoor” after their victims have been effectively infected.

In fact, the infected NordVPN installers are installing the NordVPN client to prevent increasing suspicions when dropping the Win32.Bolik.2 malicious payload of the now compromised scheme behind the scenes.

Malware spread through cloned locations

A cocktail of banking trojans and information robbers — Win32.Bolik.2 and Trojan. PWS.Stealer.26645 (Predator The Thief)—was also provided to its objectives by the same group of hackers behind the malware campaign by using another two cloned websites at the end of June 2019;

• invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com)

• clipoffice[.]xyz (the original is crystaloffice[.]com)

This isn’t the first campaign these malicious actors used to infect their victims with malware, as they used to hack lawful websites to hijack connections for download and replace them with their own malicious payloads.

By April, the hackers had broken the website of the free media editor, VSDC, for the second time in two years, using the Download connections for the Win32.Bolik.2 banking trojan and the trojan. PWS.Stealer (KPOT stealer) data stealer.

The customers who downloaded and installed the compromised VSDC installer possibly infected their pcs with the polymorphic banking Trojan multi-component and had sensitive information stolen from browsers, Microsoft accounts, messenger applications and several other software programmes.

The Doctor Web scientists on GitHub provide Win32.Bolik.2, Trojan. PWS.Stealer.26645 (Predator The Thief), AZORult, and BackDoor. HRDP.32 sample compromises, as well as network indicators including command and control server and distribution domains.

Jennifer Thomas
Jennifer Thomas is the Co-founder and Chief Business Development Officer at Cybers Guards. Prior to that, She was responsible for leading its Cyber Security Practice and Cyber Security Operations Center, which provided managed security services.