Hackers use fake VPN website to deliver malware

fake vpn website

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.

Criminals are cloning the website of popular VPN software to try and trick users into downloading malware.

This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.

They are actively distributing the bank Win32.Bolik.2 banking Trojan via the nord-vpn[.]club website, an almost perfect clone of the official nordvpn.com site used by the popular NordVPN VPN service.

The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.

Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

The operators behind this malicious campaign have launched their attacks on August 8, they are focusing on English-speaking targets and, according to the researchers, thousands have already visited the nord-vpn[.]club website in search of a download link for the NordVPN client.

“The actor is interested in english speaking victims (US/CA/UK/AU). However, he can make exceptions if the victim is valuable,” Doctor Web malware analyst Ivan Korolev told BleepingComputer.

He also said that the hackers are using the malware “mainly as keylogger/traffic sniffer/backdoor” after successfully infecting their victims.

The infected NordVPN installers will actually install the NordVPN client to avoid raising suspicions while dropping the Win32.Bolik.2 Trojan malicious payload behind the scenes on the now compromised system.

The cybercriminals behind this malicious campaign are focusing on English-speaking targets and thousands of users have already visited the fake NordVPN website according to the researchers.

Upon visiting the cloned site, users are prompted to download the NordVPN client just as they would be on the legitimate site. To avoid arousing suspicion, the fake site installs the actual VPN client but also leaves the Win32.Bolik.2 banking Trojan on a user’s system as well.

As the group’s tactics have been successful so far, expect to see other similar cloned sites being utilized to infect user’s systems with malware in the future.