- Doctor Web researchers revealed that at least 565 users who downloaded VSDC editor had their computers infected with the Win32.Bolik.2 banking Trojan.
What is the issue - Doctor Web researchers identified that attackers compromised the website of free multimedia editor VSDC and hijacked the website’s download links to distribute a banking trojan Win32.Bolik.2 and an info stealer malware Trojan.PWS.Stealer (KPOT stealer).
Why it matters - Doctor Web researchers revealed that at least 565 users who downloaded VSDC editor had their computers infected with the Win32.Bolik.2 banking Trojan, while another 83 users had their computers infected with KPOT info-stealer.
The big picture
Researchers noted that VSDC developer’s computer has been compromised several times in the past, which led to the website being compromised again between February 21, 2019, and March 23, 2019.
- The malicious script determines visitor’s geolocation and replaces download links for users from the UK, USA, Canada, and Australia.
- The website’s native download links were substituted with links to another compromised website.
“Additionally, on 22.03.2019 the attackers changed the Win32.Bolik.2 trojan to another malware, a variation of the Trojan.PWS.Stealer, KPOT Stealer. This trojan steals information from browsers, Microsoft accounts, several messengers and some other programs,” Researchers said in a blog.
Upon discovery, Doctor Web notified VSDC developers about the infection and VSDC developers have restored the download links. However, those who have installed VSDC editor between February 21, 2019, and March 23, 2019, are potentially affected.
What does VSDC have to say?
- VSDC confirmed that the administrative side of the website and the program files were not affected by the banking trojan or info-stealer.
- The multimedia editor disclosed that possible security vulnerability was detected and patched.
- The developers stated that they have restored to an innovative protection algorithm to prevent such attacks from happening in the future.
“Even with a fully-functioning security system guarding our website, we can confirm that it was shortly affected by the attack during the indicated period of time, and unlike the previous case mentioned in your article, the hackers had taken a new approach,” a spokesperson for VSDC told BleepingComputer.