The company’s experts found a copy of the site of the popular VPN service NordVPN at nord-vpn[.]Club. As on the original resource, the user is invited to download the program for using the VPN, but with it, the fake authors distribute the banker.
Read also: Android Banker Cerberus Uses Pedometer to Avoid Detection
Externally, a copy of the site is practically does not differe from the original: it has the same design, a similar domain name and a valid SSL certificate. At the time of the analyst’s report publication, the malicious site had thousands of visits.
According to Doctor Web, this campaign is aimed primarily at an English-speaking audience and was launched in early August 2019.
“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable. Hackers are using the malware “mainly as keylogger/traffic sniffer/backdoor” after successfully infecting their victims”, — told Doctor Web malware analyst.
In addition, at the end of June this year, the same group of hackers created copies of office program sites, namely invoicesoftware360[.]Xyz (original – invoicesoftware360[.]Com) and clipoffice[.]Xyz (original – crystaloffice[.]Com), where the Bolik Trojan, as well as the Trojan.PWS.Stealer.26645 stealer, were distributed. A complete list of indicators of compromise is available here.
Researchers note that Win32.Bolik.2 is an improved version of the Win32.Bolik.1 Trojan, discovered in 2016. Malware has the properties of a multicomponent polymorphic file virus, and earlier researchers thought that Bolik inherits to such well-known banking Trojans as Zeus and Carberp. With its help, hackers can perform web injections, intercept traffic, keystrokes and steal information from the bank-client systems.
NordVPN’s Head of Public Relations Laura Tyrell sent BleepingComputer the following comment:
“Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.”
And recommended the following:
Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.
About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…
About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…
About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…
About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…
About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…
About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…