Si Cyber Intel: VSDC Site Compromised Once Again Spreading Information Stealing Malware
Once again the free multimedia editor website VSDC has been compromised by hackers. But this time the download links are being used to distribute a malicious banking trojan and info stealer.
The banking trojan used, known as "Win32.Bolik.2" is designed to perform traffic intercepts, web injections, key-logging and steals sensitive information from bank-client systems. The information stealer, identified as "Trojan.PWS.Stealer" or commonly known as “KPOT Stealer”, works in unison by swiping information from browsers, popular messengers, Microsoft accounts and other programs. Researchers have identified that once executed on the victim’s machine, it will automatically infect with a multicomponent polymorphic banking trojan.
With around 1.3 million users visiting VSDC's website each month, this cyberattack is considered serious due to the sheer volume of potential victims and also because this isn't the first security breach that the Chinese company has suffered.
VSDC reported that they have successfully patched the vulnerability on their website, however, researchers from Doctor Web's have discovered that it has happened again several times since.
How to protect your organisation?
The best defence for users and organisations against such attacks is to keep all software up to date with regular patch updates to prevent such attacks.
Indicators of compromise
The following indicators of compromise can be noted:
- Malware: KPOT Stealer
- IP Addresses: 184.108.40.206, 220.127.116.11, 18.104.22.168
- Domains: appnodejs.xyz, sync-time.info
- Company: Microsoft Source: Bleeping Computer
- Malware Category: Banking Trojan
Previous VSDC security breaches
VSDC was compromised several times in 2018 when experts from Chinese security firm Qihoo 360 Total Security discovered that hackers had hijacked download links on the websites in three different periods and the links were pointing to servers they were operating. The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.
Qihoo 360 Total Security advised at the time that victims’ computers were injected by theft Trojon, keylogger and remote control Trojan after the program was downloaded and installed and that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
Below are the details of the three previous attacks:
- June, 2018 – Hackers substituted download links with hxxp://22.214.171.124/_files/file.php
- July 2, 2018 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
- July 6, 2018 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
At the time, VSDC confirmed these incidents and fixed the links on its website.
The infostealer hijacked sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshots from the victim’s machine. Data was then sent back to hxxp://system-check.xyz/index.php.
The keylogger recorded all keyboard actions and sent the record to hxxp://wqaz.site/log/index.php. The third file was a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.
The security researcher Ivan Korolev from Dr.Web revealed that the third file was a version of DarkVNC, a lesser known RAT. He also stated that the domain name hijacking was a global attack affecting more than 30 countries and was more likely to be a supply chain attack instead of a local networking hijacking.
For information about Si Cyber’s services and how we can help protect your organisation, please contact email@example.com