While in the past legal sites had been hacked to understand download links that were affected by malware, now hackers create site clones to transfer banking Trojans to the computers of unsuspecting victims. This allows them to focus on adding capabilities to their malicious tools, rather than wasting time trying to infiltrate them. servers and legitimate business websites.
A recent incident is the distribution of the active Win32.Bolik.2 banking Trojan via the nord-vpn [.] Club website. This is an almost perfect clone of the official nordvpn.com website used by the popular service NordVPN VPN. The cloned site also has a valid certificate SSL issued by Let's Encrypt on August 3, with an expiration date of November 1.
"Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has the properties of a polymorphic file virus," said Doctor Web researchers who detected the virus.
"Using this malware, hackers can perform web injections, monitor the traffic, to record and steal information from different banking-client systems. ”
The hackers behind this malicious campaign they launched their attacks on 8 in August, focusing on English-speaking targets and, according to researchers, thousands of users - likely victims - who have already visited the nord-vpn [.] club site in search of a download link for the NordVPN client.
Take great care of the websites you visit and your online downloads.