Windows 10 News and info | Forum
June 01, 2020, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Hackers Use Fake NordVPN Website to Deliver Banking Trojan  (Read 148 times)
Hero Member
Offline Offline

Gender: Male
United States United States

Posts: 31444

I Do Windows

WWW Email
« on: August 19, 2019, 09:27:44 PM »

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.

While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims' computers.

This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.

More to the point, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official site used by the popular NordVPN VPN service.

Cloned NordVPN website

Thousands of potential victims

The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.

"Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," state the Doctor Web researchers who spotted the campaign.

"Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems."

The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.

"The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable," Doctor Web malware analyst Ivan Korolev told BleepingComputer.

He also said that the hackers are using the malware "mainly as keylogger/traffic sniffer/backdoor" after successfully infecting their victims.

The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.

Spreading malware via cloned sites

A cocktail of banking trojans and information stealers—Win32.Bolik.2 and Trojan.PWS.Stealer.26645 (Predator The Thief)—was also delivered to their targets by the same hacker group behind this malware campaign with the help of two other cloned websites in late June 2019:

• invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com)

• clipoffice[.]xyz (the original is crystaloffice[.]com)

This is not the first campaign these bad actors have used to infect their victims with malware since, as mentioned in the beginning, they also used to hack legitimate sites to hijack download links and replace them with their own malicious payloads.

Back in April, the website of the free multimedia editor VSDC was breached by the hackers, the second time in two years actually, with the download links being used to distribute the Win32.Bolik.2 banking trojan and the Trojan.PWS.Stealer (KPOT stealer) info stealer.

The users who downloaded and installed the compromised VSDC installer potentially infected their computers with the multi-component polymorphic banking Trojan, and had sensitive info stolen from browsers, their Microsoft accounts, various messenger apps, and several other programs.

Indicators of compromise of Win32.Bolik.2, Trojan.PWS.Stealer.26645 (Predator The Thief), AZORult, and BackDoor.HRDP.32 samples, as well as network indicators including command-and-control server and distribution domains, are provided by Doctor Web's researchers on GitHub.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page March 28, 2020, 11:21:31 AM