The Win32.Bolik.2 Trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus. Using this malware, hackers can perform web injections, traffic intercepts, keylogging and steal information from different bank-client systems.

Win32.Bolik.2 is a banking Trojan that possesses a polymorphic multicomponent and is configured to execute the functions of a keylogger, perform Web injections, collect online banking data, intercept traffic and more. Other features of Win32.Bolik.2 is that it can perform CMD controls and create RPD reverse connections. Win32.Bolik.2 is an updated version of Carberp, a Trojan that takes the command of your browser to transmit information that it collects from the infected machines.

The hacker behind Bolik banker worm is back. This time the malware is distributed via fake sites pretending to be NordVPN, Invoicesoftware360, and Clipoffice.

This cloned site also has a valid SSL certificate issued by open certificate authority let’s encrypt on august 3, 2019 with an expiration date of November 1, 2019.

Users visiting the cloned website in search of a download link for the NordVPN client will be infected with NordVPN installers that install the NordVPN client while dropping the Win32.Bolik.2 Trojan malicious payload in the background.

To make things worse, Win32.Bolik.2 doesn’t come alone. It drags another threatening Trojan, the Trojan.PWS.Stealer to the infected computer. Win32.Bolik.2 also has used another spread method; a corrupted JavaScript code is embedded into a VSDC site to uncover the geo-positioning of its visitors and substitute download links for links to a corrupted website. Banking Trojans can be very harmful due to their capabilities of performing actions pretending to be the owner of the accounts they managed to get the login information.

Instead of having to hack the websites of software companies and hijacking download links as they did with VDSC, malicious tools can be put in place on cloned websites.

How does work Bolik Banking Trojan

The malware inherits some of the technical solutions of well-known banking Trojan Zeus (Trojan.PWS.Panda) and Carberp, but unlike them, can be distributed without user and infect executable files. The function is activated by self-propagation intruders team then begins to interrogate Bolik writable folder in the Windows Network Neighborhood and USB-connected devices, looking for executable files stored there, and infects them. The virus can infect both 32-bit and 64-bit applications.

If the user runs the infected application, the virus decrypts banking Trojan and run it directly into the memory of the computer under attack, without saving to disk. This malware has the specific mechanisms that impede the work of antivirus software: the program, in particular, maybe “on the fly” to change the code and structure their own part, and in its architecture provide a kind of “moderators”, consisting of a plurality of cycles and repetitive instructions.

The main purpose of Bolik – stealing various valuable information in Russian banks’ clients. To do this, apply a variety of tools. For example, the virus can control data sent to and sent to browsers Internet Explorer, Chrome, Opera and Firefox. This Trojan is able to steal information that the user enters in the form on-screen.

In addition, in the arsenal of spy Bunker includes a module for creating screen captures (screenshots) and fixing user keystrokes (keylogger). Bolik is able to create on the infected machine your own proxy server and a web server that allows you to share files from hackers. The virus is able to organize so-called “Reverse connection”: with their help, cybercriminals are able to “communicate” with the infected computers in the firewall-protected network or do not have an external IP-address, that is, working in a network using NAT (Network Address Translation). All information Bolik communicates with the control server is encrypted according to a complex algorithm and compressed.

How to prevent Bolik Banking Trojan

Be careful with emails that contain attachments and web links, especially if they are received from unknown or suspicious addresses. Irrelevant emails should not be trusted (or files attached to them, opened).

The software should be downloaded from official and trustworthy websites and updated properly using tools or implemented functions that are provided by official software developers. Installed software should not be activated using third party ‘cracking’ tools since they are illegal and often cause computer infections. Have reputable anti-virus or anti-spyware software installed and keep it enabled.

Security professionals can help defend against a banking Trojan like Bolik by using artificial intelligence capabilities to enhance their automated malware remediation efforts.

Companies should also consider investing in unified endpoint management (UEM) solution that uses compliance rules to automate remediation and automatically removes malware upon discovery from an in-scope endpoint.