Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild

Wednesday, September 11, 2019

Fake NordVPN Web Site Drops Banking Malware Spotted in the Wild

I've recently came across to a rogue NordVPN web site distributing malicious software potentially exposing NordVPN users to a multi-tude of malicious software further compromising the confidentiality availability and integrity of the targeted host to a multi-tude of malicious software.

In this post, I'll provide actionable intelligence on the infrastructure behind the campaign and discuss in-depth the tactics techniques and procedures of the cybercriminals behind it.

Sample malicious URL known to have participated in the campaign:
hxxp://nord-vpn.club - 192.64.119.159; 2.56.215.159

Sample malicious MD5s known to have participated in the campaign:
MD5: 3c24aa2c26e3556194ffd182a4dfaae5a41f
MD5: 7d6c24992eff0d64f19c78f05ea95ae44bc83af1
MD5: d39c320c3a43873db2577b2c9c99d9bf2bdb285c
MD5: d5ed3c70a8d7213ed1b9a124bbc1942e2b8cfeea
MD5: e89efde8ae72857b1542e3ae47f047c54b3d341a
MD5: 59f511ea1e34753f41a75e05de96456ca28f14a7
MD5: 453c428edda0fc01b306cc6f3252893fce9763a7

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com