Hijacked VSDC video editor site distributed data-stealing malware

VSDC video and audio editing software site was hijacked again: download links infected with Win32.Bolik.2 banking trojan and KPOT stealer

VSDC website compromisedSecurity researchers uncovered VSDC site compromise: download links of a popular video editing tool incorporated banking torjan and an info-stealer

Security experts from Dr. Web published a report[1] which claims that the official website of a popular multimedia editing software VSDC was distributing malware between late February to late March this year. According to researchers, the download links for the program were hijacked, which allowed hackers to place a dangerous Win32.Bolik.2 banking trojan and Trojan.PWS.Stealer (KPOT stealer) to be distributed along the original VSDC application.

VSDC is a free application, and its official download website attracts almost 1.3 million monthly visitors, putting a lot of users at the infection risk. Considering such a high number of visitors, the security measures of the developers deemed to be unsuccessful once again, as the site was hijacked several times last summer. At the time, the download links effectively executed a JavaScript file, which would consequently install AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor.[2]

According to VSDC video editor authors, the culprit for such intrusion occurred most likely due to unpatched software vulnerability, which has been fixed since the time of the official report by Dr. Web.

Hackers took a different approach than previously

While previously malicious managed to access the administrative servers, this time they took advantage of one of the developer's machines. Dr. Web claims that the compromise occurred several times between February 21st and March 23rd and hackers went for different compromise tactics:

This time hackers took a different approach to spreading the malware: they embedded a malicious JavaScript code inside the VSDC website. Its task was to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada and Australia. Native website links were substituted by links to another compromised website:

  • https://thedoctorwithin[.]com/video_editor_x64.exe
  • https://thedoctorwithin[.]com/video_editor_x32.exe
  • https://thedoctorwithin[.]com/video_converter.exe

In a previous incident, bad actors wanted to infect as many users as possible, while this time it seems that the infection factors are location-based: the JavaScript file that was injected into the official VSDC website was set to check users' location, and only replace the download links for visitors from the USA, UK, Canada, and Australia.

Over 700 users were infected with at least one of the hosted parasites

Initially, hackers incorporated Win32.Bolik.2 trojan within the malicious download links. This infection, similar to its predecessor Win32.Bolik.1, is a dangerous malware that can cause significant damage to each of the infected victims. Its list of capabilities is pretty impressive:

  • Infects 32-bit and 64-bit versions of Windows;
  • Logs users' keystrokes;
  • Takes screenshots;
  • Steals login credentials from banking apps;
  • Intercepts traffic;
  • Performs web infections;
  • Launches reverse RDP connections to execute CMD commands.

According to Dr. Web research, as many as 565 users downloaded and installed the malicious payload that contained Win32.Bolik.2.

In the meantime, the secondary payload Trojan.PWS.Stealer (or KPOT Stealer) was introduced into malicious on March 22nd was downloaded and installed 83 times. This malware is capable[3] of taking screenshots, stealing browser cookies, a variety of files and credentials saved on the computer for various accounts.

If you downloaded the malicious payload – take action immediately

Those who downloaded VSDC video and audio editing software during the time of compromise, should immediately take action – install security application, bring it up to date, and perform a full system scan. After all the threats are eliminated, you should

This instance only proves how important security measures are to all app developers that distribute it on the official website. It seems like VSDC devs did not anticipate the software becoming more popular, so maybe the security measures were overlooked. However, looking at how CCleaner[4] and ASUS[5] official apps were compromised and infected millions of users, software authors have still a lot to learn about cybersecurity.

About the author
Lucia Danes
Lucia Danes - Virus researcher

Lucia is a News Editor for 2spyware. She has a long experience working in malware and technology fields.

Contact Lucia Danes
About the company Esolutions