Experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the popular audio and video editor, VSDC.
The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.
The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.
The experts discovered that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” reads the analysis published by Qihoo 360 Total Security.
Below the details of the three different attacks:
VSDC confirmed the incident and fixed the links on its website.
The first and third periods affected the most users that were infected with three different pieces of malware.
VSDC users were receiving a JavaScript file disguised as VSDC software that acted as a downloader for a PowerShell script, which, in turn, would download three malicious payloads, an infostealer, a keylogger, and a remote access trojan (RAT).
The infostealer hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ machine. Data are sent back to hxxp://system-check.xyz/index.php.
The keylogger records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php.
The third file is a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.
The security researcher Ivan Korolev from Dr.Web revealed that the third file is a version of DarkVNC, a lesser known RAT.
The third trojan that is screenshoted by Qihoo is DarkVNC, not a TVRAT or SpyAgent. However, they might have replaced the file before it was analyzed by @malwrhunterteam
— Ivan Korolev (@fe7ch) July 12, 2018
“This domain name hijacking is a global attack and has affected more than thirty countries. It is more likely to be a Supply Chain Attack instead of a local network hijacking.” continues the analysis.
“On behalf of VSDC team we’d like to inform our users that the attacks have been stopped and all the vulnerabilities detected and removed”
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our practice has shown, 10-12 character passwords made of random characters are not complex enough, so they have their length significantly increased.
2. Two-level authentication of access to the administrative part at the IIS server level was introduced.
3. On the server currently there is a utility that checks all files for validity.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – VSDC, hacking)
[adrotate banner=”5″]
[adrotate banner=”13″]