VSDC video and audio editing software site was hijacked again: download links infected with Win32.Bolik.2 banking trojan and KPOT stealer
Security experts from Dr. Web published a report which claims that the official website of a popular multimedia editing software VSDC was distributing malware between late February to late March this year. According to researchers, the download links for the program were hijacked, which allowed hackers to place a dangerous Win32.Bolik.2 banking trojan and Trojan.PWS.Stealer (KPOT stealer) to be distributed along the original VSDC application.
According to VSDC video editor authors, the culprit for such intrusion occurred most likely due to unpatched software vulnerability, which has been fixed since the time of the official report by Dr. Web.
Hackers took a different approach than previously
While previously malicious managed to access the administrative servers, this time they took advantage of one of the developer's machines. Dr. Web claims that the compromise occurred several times between February 21st and March 23rd and hackers went for different compromise tactics:
Over 700 users were infected with at least one of the hosted parasites
Initially, hackers incorporated Win32.Bolik.2 trojan within the malicious download links. This infection, similar to its predecessor Win32.Bolik.1, is a dangerous malware that can cause significant damage to each of the infected victims. Its list of capabilities is pretty impressive:
- Infects 32-bit and 64-bit versions of Windows;
- Logs users' keystrokes;
- Takes screenshots;
- Steals login credentials from banking apps;
- Intercepts traffic;
- Performs web infections;
- Launches reverse RDP connections to execute CMD commands.
According to Dr. Web research, as many as 565 users downloaded and installed the malicious payload that contained Win32.Bolik.2.
In the meantime, the secondary payload Trojan.PWS.Stealer (or KPOT Stealer) was introduced into malicious on March 22nd was downloaded and installed 83 times. This malware is capable of taking screenshots, stealing browser cookies, a variety of files and credentials saved on the computer for various accounts.
If you downloaded the malicious payload – take action immediately
Those who downloaded VSDC video and audio editing software during the time of compromise, should immediately take action – install security application, bring it up to date, and perform a full system scan. After all the threats are eliminated, you should
This instance only proves how important security measures are to all app developers that distribute it on the official website. It seems like VSDC devs did not anticipate the software becoming more popular, so maybe the security measures were overlooked. However, looking at how CCleaner and ASUS official apps were compromised and infected millions of users, software authors have still a lot to learn about cybersecurity.