vsdc_website_trojan
Image Source: http://www.videosoftdev.com/
  • VSDC’s website was compromised by malicious actors who swapped the download links to push trojans.
  • The two trojans targeted banking information of users, and are considered particularly powerful.
  • At least 600 infection cases were recorded, but many more have definitely been victimized over the full month that the actors remained active.

According to a report by the Dr. Web Antivirus researchers, the website of the popular and free to use VSDC video and audio editor and converter has been compromised by malicious actors. The result of this is that website visitors who tried to download the media editing software also received a pretty dangerous banking trojan (Win32.Bolik.2), as well as a password-stealing trojan (KPOT). The researchers estimate the monthly visitors to the VSDC website to be around 1.3 million, so the number of potential infections could be a quite large one.

Further analysis by the researchers has revealed that the period of compromise spanned between February and March 2019, with the hackers incorporating a malicious snippet of JavaScript code which would geo-locate the website’s visitors. If the victim was from the US, UK, Canada, and Australia, the download link would be replaced with a resource that would deliver the editing software bundled with the dangerous trojans. The malicious links used in this attack are:

  • https: // thedoctorwithin [.] com / video_editor_x64.exe
  • https: // thedoctorwithin [.] com / video_editor_x32.exe
  • https: // thedoctorwithin [.] com / video_converter.exe

The Bolik trojan has the properties of a multi-component polymorphic virus, designed for traffic interception, keylogging, data infiltration, and even code injection. It has a long and successful record of deployment against home and corporate banking systems. In addition to this, the attackers pushed KPOT, a stealer that works on browsers, messaging apps, and Microsoft account platforms. By monitoring the infection rates on the compromised websites, Dr. Web researchers counted a total of 565 cases of Bolik infections, and another 83 KPOT stealer infections that occurred over the duration of a single day.

Right now, the website administrators have taken action and replaced the malicious links with the legitimate ones. However, if you have downloaded any of their products in this past couple of months, and especially between 21 February and 23 March this year, you should run a complete system scan using an up to date AV tool immediately. For a full list of the indicators of compromise, check out the relevant ReadMe file on GitHub. On a side note, it is irresponsible and unfortunate that VDSC has not posted anything on their News section and neither on their Twitter handle.

Do you trust and use “free of charge” tools for multimedia editing, or are you paying for a commercial product? Let us know in the comments section beneath, and help us warn others by sharing this post through our socials, on Facebook and Twitter.