With a new variant (Win32.Bolik.2) and an altered distribution method, the Bolik Trojan is back. In the past, the older version of Bolik was seen being passed off on VSDC, a free multimedia editor. Whoever is behind the trojan has now decided to distribute it through cloned sites that resemble NordVPN, Invoicesoftware360, and Clipoffice, with NordVPN being the most popular. The cloned NordVPN site has a valid SSL which was issued on August 3rd by Let’s Encrypt and it is set to expire on November 1st. It appears as if the campaign began on August 8th and it seeks English-speaking users as its potential victims, but if the target is valuable enough the attacker can make exceptions. If the site is visited and the users come across the download link and use it, the NordVPN installers begin to run while also loading the Win32.Bolik.2 payload in the background. This new version is able to carry out web injections, intercept traffic, perform keystroke logging, and also steal information from multiple bank client systems.
Analyst Notes
When searching for download links for third party programs or software, users should always make sure the site and/or link can be verified. Never attempt downloads from links that are sent in an email or other messages from an unknown sender.
