Cybercriminals responsible for breaching and using VSDC free video editor website to distribute malware started creating fake websites for the same purpose.
Previously, the group had hacked into legitimate websites to use their download links to spread malware, but has now turned to cloning sites to deliver the Win32.Bolik.2 banking Trojan to unsuspecting users.
Cybercriminals have created a perfect clone of the NordVPN website to entice users to download the Win32.Bolik.2 banking Trojan found by Doctor Web researchers.
In addition to being an almost exact copy of the company's website, the cloned website even has a valid SSL certificate issued by the open certificate authority Let's Encrypt. This helps make the fake website look more legitimate while allowing it to bypass browser security checks.
cloned sites
In a blog post announcing their discovery, Doctor Web researchers explained what the Win32.Bolik.2 banking Trojan is capable of installing after being installed on a user's device, stating:
"Win32.Bolik.2 Trojan is an enhanced version of Win32.Bolik.1 and has the qualities of a multi-component polymorphic file virus. Using this malware, hackers can perform web injections, intercept traffic , register keys and steal information in different customer / bank systems."
The cybercriminals behind this malicious campaign are targeting English-speaking targets, and thousands of users have already visited the fake NordVPN website, according to researchers.
By visiting the cloned site, users are invited to download the NordVPN client exactly as they would on the legitimate site. To avoid raising suspicion, the fake site installs the VPN client itself but also leaves the Win32.Bolik.2 banking Trojan on a user's system.
As the group's tactics have paid off so far, expect other similar clone sites to be used in the future to infect users' systems with malware.
- We also present the best VPN services of 2019
Through the bleeding computer