​Hackers hijack popular software site VSDC to serve up RAT, infostealer and keylogger

• The attackers swapped VSDC's legitimate download links for malicious ones on three separate days.
• The download links actually downloaded three different strains of malware.

Hackers managed to breach popular software site VSDC that provides free audio and video conversion and editing applications. According to researchers at Chinese security firm Qihoo 360 Total Security, the attackers swapped a few download links on the website for links that actually downloaded malicious software from the hackers' servers.

The legitimate download links were hijacked and changed on three separate days - the first on June 18, the second on July 2 and the third on July 6. However, Qihoo researchers noted the first and third hijacks were on a much larger scale and affected more users.

Three different strains of malware

Users who happened to download the "Free Video Editor" on those days were likely redirected to the hackers' servers and instead received an obfuscated JavaScript file disguised as the VSDC software. This file downloads a PowerShell script that then downloads three different malicious files - a remote access Trojan (RAT), an infostealer and a keylogger.

Qihoo researchers described the RAT as a hidden VNC module that gives the attacker control over the infected system. Security researcher MalwareHunter described the RAT as a version of the TVRAT, Bleeping Computer reports.

The infostealer is capable of retrieving Telegram account passwords, Skype chats, Steam account passwords, Electrum wallet data and taking screenshots of the victim's system. The harvested data is then uploaded to the attackers' server at system-check[.]xyz.

The last file - a keylogger - collects keystrokes and uploads them to wqaz[.]site.

Threat thwarted

VSDC has confirmed the attack saying an unscheduled audit of its website has been conducted using their own resources and third-party experts. The vulnerabilities have been detected and removed, the firm said.

The company also noted that the attacks seemed to be traced back to an IP address in Lithuania.

"It’s been revealed that the attackers hacked the administrative part of the site and replaced the links to the distribution file of the program. It is worth mentioning that the distributives themselves were not damaged," VSDC told Bleeping Computer.

"All the source files of the site have been restored, the fake ones have been deleted. All the passwords have been changed. As our experience has shown, 10-12 character passwords made of random characters are not complex enough, so now they have their length and complexity significantly increased."

Two-level authentication has been introduced to the administrative part at the IIS server level and a "special antivirus utility" has been installed on the server that checks all files for validity, they added.

"We’d like to assure all our users that all the required security and prevention measures have been taken and will be regularly updated," VSDC said. "The access to the administrative server part will be regularly checked."