Hackers Use Fake NordVPN Website to Deliver Banking Trojan

• invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com)

Nord account legit

Об этой странице

Мы зарегистрировали подозрительный трафик, исходящий из вашей сети. С помощью этой страницы мы сможем определить, что запросы отправляете именно вы, а не робот. Почему это могло произойти?

Эта страница отображается в тех случаях, когда автоматическими системами Google регистрируются исходящие из вашей сети запросы, которые нарушают Условия использования. Страница перестанет отображаться после того, как эти запросы прекратятся. До этого момента для использования служб Google необходимо проходить проверку по слову.

Источником запросов может служить вредоносное ПО, подключаемые модули браузера или скрипт, настроенный на автоматических рассылку запросов. Если вы используете общий доступ в Интернет, проблема может быть с компьютером с таким же IP-адресом, как у вас. Обратитесь к своему системному администратору. Подробнее.

Проверка по слову может также появляться, если вы вводите сложные запросы, обычно распространяемые автоматизированными системами, или же вводите запросы очень часто.

Hackers Use Fake NordVPN Website to Deliver Banking Trojan

Hackers Use Fake NordVPN Website to Deliver Banking Trojan

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.

While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims’ computers.

This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.

More to the point, they are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service.

Cloned NordVPN website

Thousands of potential victims

The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.

“Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus,” state the Doctor Web researchers who spotted the campaign.

“Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.”

The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.

“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” Doctor Web malware analyst Ivan Korolev told BleepingComputer.

He also said that the hackers are using the malware “mainly as keylogger/traffic sniffer/backdoor” after successfully infecting their victims.

The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.

Spreading malware via cloned sites

A cocktail of banking trojans and information stealers—Win32.Bolik.2 and Trojan.PWS.Stealer.26645 (Predator The Thief)—was also delivered to their targets by the same hacker group behind this malware campaign with the help of two other cloned websites in late June 2019:

• invoicesoftware360[.]xyz (the original is invoicesoftware360[.]com)

• clipoffice[.]xyz (the original is crystaloffice[.]com)

This is not the first campaign these bad actors have used to infect their victims with malware since, as mentioned in the beginning, they also used to hack legitimate sites to hijack download links and replace them with their own malicious payloads.

Back in April, the website of the free multimedia editor VSDC was breached by the hackers, the second time in two years actually, with the download links being used to distribute the Win32.Bolik.2 banking trojan and the Trojan.PWS.Stealer (KPOT stealer) info stealer.

The users who downloaded and installed the compromised VSDC installer potentially infected their computers with the multi-component polymorphic banking Trojan, and had sensitive info stolen from browsers, their Microsoft accounts, various messenger apps, and several other programs.

Indicators of compromise of Win32.Bolik.2, Trojan.PWS.Stealer.26645 (Predator The Thief), AZORult, and BackDoor.HRDP.32 samples, as well as network indicators including command-and-control server and distribution domains, are provided by Doctor Web’s researchers on GitHub.

Update August 20, 09:07 EDT: NordVPN’s Head of Public Relations Laura Tyrell sent BleepingComputer the following comment:

Online scammers love to pretend to be trusted companies when trying to fool their victims. Because NordVPN is such a widely trusted online security company, scammers pretend to be us as well. They do this to steal users’ money or infect their PCs with malware.

Always double-check information if you have even the slightest suspicion. Also, never give out personal information that has no relation to our services or transfer your money via wiring service. If you have any doubt, always contact NordVPN through one of our official channels.