Bolik Banking Trojan

Bolik is an advanced polymorphic banking trojan currently targeting English-speaking countries.

In one instance researchers at Doctor Web spotted a spoofed website for the NordVPN service at nord-vpn[.]club. This website arrived with the same design and a similar domain name as NordVPN’s official web location. Like the legitimate website, this fake copy encouraged users to download a program to activate the VPN.

Bolik is typically delivered packaged within legitimate applications hosted on third-party sites, or via disguised download links on compromised legitimate sites. However, newer campaigns will use full copies of legitimate sites in an attempt to trick users into downloading the malware directly.

Bolik’s operator will take great care in producing these spoof sites, including using search engine optimisation and valid SSL certificates, in order to increase the likelihood of users visiting the sites.

Once installed, Bolik will attempt to extract user credentials from a number of applications, as well as attempting to phish sensitive information when users visit specific sites. Certain Bolik campaigns will also deliver the AZORult and Predator trojans.

Check of nord-vpn[.]club on VirusTotal shows as malicious

Indicators of Compromise

IP Addresses

  • 104.223.76[.]230
  • 185.225.17[.]154
  • 2.56.212[.]212
  • 2.56.213[.]96
  • 2.56.214[.]102
  • 2.56.215[.]159
  • 2.56.215[.]234
  • 213.252.245[.]146
  • 213.252.245[.]229

URLs

  • android-power[.]space
  • appnodejs[.]xyz
  • clipoffice[.]xyz
  • dns-master[.]club
  • invoicesoftware360[.]xyz
  • juster[.]icu
  • munsys[.]icu
  • nord-vpn[.]club
  • normpost[.]club
  • sync-time[.]info

Filenames

  • clbplus_bot.exe
  • codec_pack.exe
  • gk.exe
  • invoice.exe
  • Invoice360.exe
  • Invoice360ReportsBarcode.exe
  • Invoice360TemplateDesigner1.8.exe
  • NordVPN.exe
  • NordVPNSetup.exe
  • NordVPNSetup1s.exe
  • NordVPNSetup2s.exe
  • nord-sig.exe
  • video_converter.exe
  • video_editor_x32.exe
  • video_editor_x64.exe

SHA1 File Hashes

  • 0abd6ed3c7fb41943b1c5b5329bb1bcbed01f586
  • 14759c414f3f0d05dca7bfdbb827a351ccc86651
  • 280b3d53ce23ef27f222a979b58bbaf6a25629e9
  • 30fa0e961c4c2b43a977eca4639edf058c52a6e6
  • 453c428edda0fc01b306cc6f3252893fce9763a7
  • 59f511ea1e34753f41a75e05de96456ca28f14a7
  • 5bfa31e2d6930d492abba4b2c574d15a20b45823
  • 69724850494cef5343008afbea0b88076d153bd1
  • 6f681bb7190c6d808e43ab929c3891759b0fe5c9
  • 7d6c24992eff0d64f19c78f05ea95ae44bc83af1
  • 9562a8f3f9d150eb7395d6de35caca8aa416dd74
  • 9c520a412bd3fe627848bc56c1cc7385be35edef
  • aa91162d43f54b61d9dba5c76724942da61242df
  • d39c320c3a43873db2577b2c9c99d9bf2bdb285c
  • d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea
  • e89efde8ae72857b1542e3ae47f047c54b3d341a
  • f2f2005062f6de7844b05b1d92f2a52cbec01e6a
  • fbe8f9be579dddd2bcb109ea5107005e7d914c6d

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: