New variant of Bolik banking trojan distributed via fake Fake NordVPN Website

• Win32.Bolik.2 banking trojan is now distributed via the cloned website (nord-vpn[.]club) of the official nordvpn.com site.
• This variant is capable of performing web injections, traffic intercepts, and keylogging.

What is the issue?

The latest variant of Bolik banking trojan dubbed ‘Win32.Bolik.2’ is distributed via cloned NordVPN website.

More details about the banking trojan

Earlier, Win32.Bolik.2 trojan was distributed via the website of free multimedia editor VSDC. Now, operators behind the banking trojan have switched their tactics to create website clones in order to distribute the trojan.

“The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360 and Clipoffice,” Doctor Web malware analyst Ivan Korolev tweeted.

• Win32.Bolik.2 banking trojan is now distributed via the cloned website (nord-vpn[.]club) of the official nordvpn.com site.
• This cloned site also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3,2019 with an expiration date of November 1, 2019.
• This malspam campaign executed via fake NordVPN website was launched on August 8, 2019, and targets English-speaking users.
• Users visiting the cloned website in search of a download link for the NordVPN client will be infected with NordVPN installers that install the NordVPN client while dropping the Win32.Bolik.2 Trojan malicious payload in the background.

“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” Ivan Korolev told BleepingComputer.

Capabilities of Win32.Bolik.2

• This variant is capable of performing web injections, traffic intercepts, and keylogging.
• It can also steal information from various bank-client systems.

“The Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems,” Doctor Web researchers said in a blog.