With a new variant (Win32.Bolik.2) and an altered distribution method, the Bolik Trojan is back. In the past, the older version of Bolik was seen being passed off on VSDC, a free multimedia editor. Whoever is behind the trojan has now decided to distribute it through cloned sites that resemble NordVPN, Invoicesoftware360, and Clipoffice, with NordVPN being the most popular. The cloned NordVPN site has a valid SSL which was issued on August 3rd by Let’s Encrypt and it is set to expire on November 1st. It appears as if the campaign began on August 8th and it seeks English-speaking users as its potential victims, but if the target is valuable enough the attacker can make exceptions. If the site is visited and the users come across the download link and use it, the NordVPN installers begin to run while also loading the Win32.Bolik.2 payload in the background. This new version is able to carry out web injections, intercept traffic, perform keystroke logging, and also steal information from multiple bank client systems.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased