Cyber criminals have created fake sites for the service of the virtual private network Nord VPN and two office software products, trying to infect visitors with the Win32.Bolij.2 bank trojan, read specialists.
Launched on Aug. 8, the fake NordVPN site, nord-vpn[.]club, has already drawn thousands of visitors so far this month, Dr.Web reports in an Aug. 19 company blog post. The site is very realistic, featuring the same over design, color schemes and fonts as the true site, nordvpn.com. And it even has a valid SSL certificate.
The criminals ‘website did auto-download the program when users visited it, which comes Bolij2 with the app. The Dr.Web researchers call Trojan an upgraded version of the Win32.Bolik.1, noting that it “has the qualities of a multi-component polymorphic file virus” and “is capable of performing web injections, traffic intercepts, kegs and theft of information from different bank-client systems.”
A similar plot was launched by attackers last June when they copied Invoice 360 Enterprise and Crystal Office Systems, both of which make business/office apps. Dr.Web experts argue that this scheme delivered not only the Bolij.2, but also the Trojan.PWS.ZStealer.26645, otherwise known as Predator – the info stealth Thief.
Last April, Dr.Web reported that the same cybercriminal group compromised the website of video editing software VDSC and used its links to distribute Bolij.2 and KPOT Stealer malware. In these more recent campaigns, however, no website compromise was necessary, as the attackers simply created their own fake sites instead.