Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software.
Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.
Below is a timeline of the hacks and link swaps, according to Chinese security firm Qihoo 360 Total Security, whose experts spotted the hijacks last week.
Second hack: July 2
Third hack: July 6
Download link swapped with: hxxp://drbillbailey.us/tw/file.php
Qihoo experts said the first and third hijacks were the ones at a larger scale and affected the most users.
Users infected with three different malware strains
The infostealer is capable of recovering Telegram account passwords, Steam account passwords, Skype chats, Electrum wallet data, and can also take screengrabs of the victim’s PC. All collected data is uploaded on an attacker’s server at system-check.xyz
The keylogger is nothing special, collecting keystrokes and uploading them to wqaz.site.
The third file is a mystery because it’s a VNC module that allows attackers to take control of the victim’s computer. VNC modules are most often found in banking trojans and are rarely used as standalone components, hackers usually preferring the more advanced commercial RATs available on the market.
VSDC admits to breach, says it fixed its site
To its credit and unlike many companies nowadays, VSDC admitted to the hacks in an email to Bleeping Computer.
“Unfortunately, we did have hacker attacks, but they have already been stopped and all the vulnerabilities detected and removed,” Alexander Galkin, a VSDC Project Manager told us.
Using both our own resources and third-party experts, an unscheduled audit of the VSDC website has been conducted. It’s been revealed that the attackers hacked the administrative part of the site and replaced the links to the distribution file of the program. It is worth mentioning that the distributives themselves were not damaged.
Attacks were registered from an IP address in Lithuania – 184.108.40.206
What has been done to cope with that:
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our experience has shown, 10-12 character passwords made of random characters are not complex enough, so now they have their length and complexity significantly increased.
2. The two-level authentication of access to the administrative part at the IIS server level has been introduced.
3. A special antivirus utility installed has been installed on the server that checks all the files for validity.
We’d like to assure all our users that all the required security and prevention measures have been taken and will be regularly updated. The access to the administrative server part will be regularly checked.