Malware infection

Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software.

Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.

Below is a timeline of the hacks and link swaps, according to Chinese security firm Qihoo 360 Total Security, whose experts spotted the hijacks last week.

First hack: June 18
Download link swapped with: hxxp://5.79.100.218/_files/file.php

Second hack: July 2
Download link swapped with: hxxp://drbillbailey.us/tw/file.php

Third hack: July 6
Download link swapped with: hxxp://drbillbailey.us/tw/file.php

Qihoo experts said the first and third hijacks were the ones at a larger scale and affected the most users.

Users infected with three different malware strains

Users who downloaded VSDC software on those days have been infected with three different malware strains. Qihoo says victims received a JavaScript file disguised as VSDC software. This file would download a PowerShell script, which, in turn, would download three other files —an infostealer, a keylogger, and a remote access trojan (RAT).

The infostealer is capable of recovering Telegram account passwords, Steam account passwords, Skype chats, Electrum wallet data, and can also take screengrabs of the victim's PC. All collected data is uploaded on an attacker's server at system-check.xyz

The keylogger is nothing special, collecting keystrokes and uploading them to wqaz.site.

Qihoo describes the third file as a VNC module that grants the attacker control over an infected user's PC. But while Qihoo did not specifically identify this malware, Ivan Korolev, a security researcher with Dr.Web, says the file was a version of DarkVNC, a lesser known RAT.

VSDC admits to breach, says it fixed its site

To its credit and unlike many companies nowadays, VSDC admitted to the hacks in an email to Bleeping Computer.

"Unfortunately, we did have hacker attacks, but they have already been stopped and all the vulnerabilities detected and removed," Alexander Galkin, a VSDC Project Manager told us.

Galkin added:

Using both our own resources and third-party experts, an unscheduled audit of the VSDC website has been conducted. It’s been revealed that the attackers hacked the administrative part of the site and replaced the links to the distribution file of the program. It is worth mentioning that the distributives themselves were not damaged.

Attacks were registered from an IP address in Lithuania - 185.25.51.133

What has been done to cope with that:

1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our experience has shown, 10-12 character passwords made of random characters are not complex enough, so now they have their length and complexity significantly increased.
2. The two-level authentication of access to the administrative part at the IIS server level has been introduced.
3. A special antivirus utility installed has been installed on the server that checks all the files for validity.

We’d like to assure all our users that all the required security and prevention measures have been taken and will be regularly updated. The access to the administrative server part will be regularly checked.

Related Articles:

CoralRaider attacks use CDN cache to push info-stealer malware

Fake cheat lures gamers into spreading infostealer malware

Activision: Enable 2FA to secure accounts recently stolen by malware

PyPI suspends new user registration to block malware campaign

Hackers poison source code from largest Discord bot platform