Hackers deliver malware via fake NordVPN website
Published: 10:24 AM, 21 August 2019
The Win32.Bolik.2 Banking Trojan has changed its strategies as hackers violated and abused the website of the free media editor VSDC. The hackers are cloning the popular VPN software-based website to try and trick users into downloading malware.
This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.
According to new research, the cybercriminals responsible for breaching and utilizing the website of the free video editor VSDC to distribute malware have begun to create fake websites to accomplish the same goal.
In the meantime, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service.
Thousands of potential victims
The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.
“Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus,” said Ivan Korolev, the Doctor Web malware analyst who spotted the campaign.
“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems,” he also said.
The operators behind this malicious campaign have launched their attacks on August 8, focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.
“The actor is interested in English speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” said Ivan Korolev adding, “The hackers are using the malware ‘mainly as keylogger/traffic sniffer/backdoor’ after successfully infecting their victims.”
In a blog post announcing their discovery, Doctor Web’s researchers explained what the Win32.Bolik.2 banking Trojan is capable of after being installed on a user's device, saying:
“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”
The cybercriminals behind this malicious campaign are focusing on English-speaking targets and thousands of users have already visited the fake NordVPN website according to the researchers.
Upon visiting the cloned site, users are prompted to download the NordVPN client just as they would be on the legitimate site. To avoid arousing suspicion, the fake site installs the actual VPN client but also leaves the Win32.Bolik.2 banking Trojan on a user's system as well.
As the group’s tactics have been successful so far, expect to see other similar cloned sites being utilized to infect user's systems with malware in the future.
The users who downloaded and installed the compromised VSDC installer potentially infected their computers with the multi-component polymorphic banking Trojan, and had sensitive info stolen from browsers, their Microsoft accounts, various messenger apps, and several other programs.