Qihoo 360 Total Security experts reported that cyber criminals used the official website of VSDC (http://www.videosoftdev.com) for distributing malware.
According to the researchers, hackers have hijacked download links on the VSDC website in three different periods, pointing to servers they were operating.
The cyber criminals took control of the administrative server part of the website and replaced the links to the distribution file of the program.
The security researchers have also found that the attacks were registered from an IP address in Lithuania – 185[.]25.51.133.
“360 Security Center discovered the download links of a famous audio and video editor, VSDC (http://www.videosoftdev.com), has been hijacked in official website. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed.” the Qihoo 360 Total Security analysis states.
The details of the three different attacks are:
- June 18 – Hackers substituted download links with hxxp://5.79.100.218/_files/file.php
- July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
- July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php
The audio and video editor VSDC confirmed the incident and managed to fix the links on its website.
The first and third periods affected the most users that were infected with three different pieces of malware.
What the VSDC users received was a JavaScript file disguised as VSDC software acting as a downloader for a PowerShell script, which, in turn, would download three malicious payloads, an infostealer, a keylogger, and a remote access trojan (RAT).
It is the infostealer that hijacks sensitive information such as Telegram account /password, Steam account/ password, Skype chat log, Electrum wallet and screenshot from the victims’ computers. Then, the data is sent back to hxxp://system-check.xyz/index.php.
All keyboard actions are recorded by the keylogger and sent to hxxp://wqaz.site/log/index.php.
The third file is a hidden VNC remote control trojan which hackers could use to control the infected machine. According to the researchers, the third file is a version of a lesser known RAT called DarkVNC.
