sales@siconsult.com

Phone: +44 (0)20 332 70699

Visit Si Engineering

SiConsult Location SiConsult Location SiConsult Location

The Latest Cyber
Intelligence
from Si

Si Cyber Intel: VSDC Site Compromised Once Again Spreading Information Stealing Malware
Apr2019

Si Cyber Intel: VSDC Site Compromised Once Again Spreading Information Stealing Malware

Once again the free multimedia editor website VSDC has been compromised by hackers. But this time the download links are being used to distribute a malicious banking trojan and info stealer.

The banking trojan used, known as "Win32.Bolik.2" is designed to perform traffic intercepts, web injections, key-logging and steals sensitive information from bank-client systems. The information stealer, identified as "Trojan.PWS.Stealer" or commonly known as “KPOT Stealer”, works in unison by swiping information from browsers, popular messengers, Microsoft accounts and other programs. Researchers have identified that once executed on the victim’s machine, it will automatically infect with a multicomponent polymorphic banking trojan.

With around 1.3 million users visiting VSDC's website each month, this cyberattack is considered serious due to the sheer volume of potential victims and also because this isn't the first security breach that the Chinese company has suffered.

VSDC reported that they have successfully patched the vulnerability on their website, however, researchers from Doctor Web's have discovered that it has happened again several times since.

How to protect your organisation? 

The best defence for users and organisations against such attacks is to keep all software up to date with regular patch updates to prevent such attacks.

Indicators of compromise

The following indicators of compromise can be noted:

  • Malware: KPOT Stealer
  • IP Addresses: 104.223.76.230, 213.252.245.229, 213.252.245.146
  • Domains: appnodejs.xyz, sync-time.info
  • Company: Microsoft Source: Bleeping Computer
  • Malware Category: Banking Trojan

Previous VSDC security breaches

VSDC was compromised several times in 2018 when experts from Chinese security firm Qihoo 360 Total Security discovered that hackers had hijacked download links on the websites in three different periods and the links were pointing to servers they were operating. The attackers gained access to the administrative server part of the site and replaced the links to the distribution file of the program.

Qihoo 360 Total Security advised at the time that victims’ computers were injected by theft Trojon, keylogger and remote control Trojan after the program was downloaded and installed and that attacks were registered from an IP address in Lithuania – 185[.]25.51.133.

Below are the details of the three previous attacks:

  • June, 2018 – Hackers substituted download links with hxxp://5.79.100.218/_files/file.php
  • July 2, 2018 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
  • July 6, 2018 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php

At the time, VSDC confirmed these incidents and fixed the links on its website.

The first and third periods affected the most users that were infected with three different pieces of malware. VSDC users were receiving a JavaScript file disguised as VSDC software that acted as a downloader for a PowerShell script, which, in turn, would download three malicious payloads, an infostealer, a keylogger, and a remote access trojan (RAT).

The infostealer hijacked sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshots from the victim’s machine. Data was then sent back to hxxp://system-check.xyz/index.php.

The keylogger recorded all keyboard actions and sent the record to hxxp://wqaz.site/log/index.php. The third file was a Hidden VNC remote control Trojan that could be used by attackers to control the infected PC.

The security researcher Ivan Korolev from Dr.Web revealed that the third file was a version of DarkVNC, a lesser known RAT. He also stated that the domain name hijacking was a global attack affecting more than 30 countries and was more likely to be a supply chain attack instead of a local networking hijacking.

For information about Si Cyber’s services and how we can help protect your organisation, please contact sales@siconsult.com


 

All News

Register and stay up to date with Si’s Cyber Intelligence

By using this form you agree with the storage and handling of your data by this website.

Interested in our services?

Do you have a question or need more information?

We would like to hear from you! Please complete the form below and a representative from Si will follow up with you as soon as possible.

By using this form you agree with the storage and handling of your data by this website. Please view the terms of our policy here.
Close

Al Barsha Business Point, Office 501, Al Barsha One, P.O. Box 283996, Dubai, UAE

CALL OFFICE EMAIL OFFICE
Close

Greenwich View Pl, Canary Wharf, London E14 9NN

CALL OFFICE EMAIL OFFICE
Close

Supreme Headquarters Building, Office 807-810, Survey No. 36, Pune-Bangalore Highway, Baner, Pune 411045, India

CALL OFFICE EMAIL OFFICE
Close

Office 808, Tower II, The Gate Mall, West Bay, Doha, Qatar, PO Box 14023

CALL OFFICE EMAIL OFFICE

Thank you for your enquiry. We will be in touch shortly.

Thank you for signing up to Si news.

Thank you for your download request. We will email it shortly.

Thank you for your partner registration application. We will be in touch shortly.

Thank you for your enquiry. We will be in touch shortly.

Thank you for your download request. We will email it shortly.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your request has been submitted and you will be contacted within 24 hours.

Thank you – your interest in this event has been submitted and you will be contacted within 24 hours.