Doctor Web experts warned that attackers use copies of popular services sites to distribute Bolik banker (Win32.Bolik.2). For example, the Bolik Trojan is very effectively masked under NordVPN.One of these resources, discovered by experts, copies this famous VPN service, while others are disguised as corporate office software sites.
The company’s experts found a copy of the site of the popular VPN service NordVPN at nord-vpn[.]Club. As on the original resource, the user is invited to download the program for using the VPN, but with it, the fake authors distribute the banker.
Externally, a copy of the site is practically does not differe from the original: it has the same design, a similar domain name and a valid SSL certificate. At the time of the analyst’s report publication, the malicious site had thousands of visits.
According to Doctor Web, this campaign is aimed primarily at an English-speaking audience and was launched in early August 2019.
“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable. Hackers are using the malware “mainly as keylogger/traffic sniffer/backdoor” after successfully infecting their victims”, — told Doctor Web malware analyst.
In addition, at the end of June this year, the same group of hackers created copies of office program sites, namely invoicesoftware360[.]Xyz (original – invoicesoftware360[.]Com) and clipoffice[.]Xyz (original – crystaloffice[.]Com), where the Bolik Trojan, as well as the Trojan.PWS.Stealer.26645 stealer, were distributed. A complete list of indicators of compromise is available here.
Researchers note that Win32.Bolik.2 is an improved version of the Win32.Bolik.1 Trojan, discovered in 2016. Malware has the properties of a multicomponent polymorphic file virus, and earlier researchers thought that Bolik inherits to such well-known banking Trojans as Zeus and Carberp. With its help, hackers can perform web injections, intercept traffic, keystrokes and steal information from the bank-client systems.
NordVPN’s Head of Public Relations Laura Tyrell sent BleepingComputer the following comment:
“Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.”
And recommended the following:
Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.