The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.
While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims’ computers.
This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.
More to the point, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service.
Thousands of potential victims
The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.
“Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus,” state the Doctor Web researchers who spotted the campaign.
“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”
The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.
The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360 and Clipoffice.
— Ivan Korolev (@fe7ch) August 19, 2019
“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” Doctor Web malware analyst Ivan Korolev told BleepingComputer.
He also said that the hackers are using the malware “mainly as keylogger/traffic sniffer/backdoor” after successfully infecting their victims.
The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.
Spreading malware via cloned sites
A cocktail of banking trojans and information stealers—Win32.Bolik.2 and Trojan.PWS.Stealer.26645 (Predator The Thief)—was also delivered to their targets by the same hacker group behind this malware campaign with the help of two other cloned websites in late June 2019:
This is not the first campaign these bad actors have used to infect their victims with malware since, as mentioned in the beginning, they also used to hack legitimate sites to hijack download links and replace them with their own malicious payloads.
Back in April, the website of the free multimedia editor VSDC was breached by the hackers, the second time in two years actually, with the download links being used to distribute the Win32.Bolik.2 banking trojan and the Trojan.PWS.Stealer (KPOT stealer) info stealer.
The users who downloaded and installed the compromised VSDC installer potentially infected their computers with the multi-component polymorphic banking Trojan, and had sensitive info stolen from browsers, their Microsoft accounts, various messenger apps, and several other programs.
Indicators of compromise of Win32.Bolik.2, Trojan.PWS.Stealer.26645 (Predator The Thief), AZORult, and BackDoor.HRDP.32 samples, as well as network indicators including command-and-control server and distribution domains, are provided by Doctor Web’s researchers on GitHub.
Update August 20, 09:07 EDT: NordVPN’s Head of Public Relations Laura Tyrell sent BleepingComputer the following comment: