Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More

guest · Jul 11, 2018

Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More
July 11, 2018
https://www.bleepingcomputer.com/ne...redirect-users-to-keylogger-infostealer-more/

Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software.

Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.
Users infected with three different malware strains
Users who downloaded VSDC software on those days have been infected with three different malware strains. Qihoo says victims received a JavaScript file disguised as VSDC software. This file would download a PowerShell script, which, in turn, would download three other files —an infostealer, a keylogger, and a remote access trojan (RAT).

The infostealer is capable of recovering Telegram account passwords, Steam account passwords, Skype chats, Electrum wallet data, and can also take screengrabs of the victim's PC. All collected data is uploaded on an attacker's server at system-check.xyz
Click to expand...

Rasheed187 · Jul 14, 2018

This is exactly why you always need to monitor app installation even when downloading trusted tools.

guest · Apr 11, 2019

VSDC Site Hacked Again to Spread Password Stealing Malware
April 11, 2019
https://www.bleepingcomputer.com/ne...ed-again-to-spread-password-stealing-malware/

The website of the free multimedia editor VSDC was breached again by hackers, this time the download links being used to distribute a banking trojan and an info stealer.

According to the Doctor Web researchers who discovered the intrusion, the hackers "hijacked download links on the website causing visitors to download a dangerous banking trojan, Win32.Bolik.2, and the Trojan.PWS.Stealer (KPOT stealer) along with the editing software."
The fact that VSDC's website has around 1,3 million every month makes this incident even more serious considering the number of potential victims.

While the VSDC team reported that the vulnerability which allowed the hackers to breach their website was patched, Doctor Web's researchers discovered that it happened again. Several times.
Click to expand...

VSDC site hacked again. This time incident lasted for a month and distributed Win32.Bolik banker trojan that has file infector capabilities. During the last day Bolik was repalced with KPOT stealer.
Report: https://t.co/l11WGvJGrY
IoCs: https://t.co/fN00LKEFDR

— Ivan Korolev (@fe7ch) April 11, 2019
Click to expand...

guest · Aug 19, 2019

Hackers Use Fake NordVPN Website to Deliver Banking Trojan
August 19, 2019
https://www.bleepingcomputer.com/ne...ke-nordvpn-website-to-deliver-banking-trojan/

The attackers who previously breached and abused the website of free multimedia editor VSDC to distribute the Win32.Bolik.2 banking Trojan have now switched their tactics.

While previously they hacked legitimate websites to hijack download links infected with malware, the hackers are now creating website clones to deliver banking Trojans onto unsuspecting victims' computers.
This allows them to focus on adding capabilities to their malicious tools instead of wasting time by trying to infiltrate the servers and websites of legitimate businesses.
Thousands of potential victims
The cloned website also has a valid SSL certificate issued by open certificate authority Let’s Encrypt on August 3, with an expiration date of November 1.

"Win32.Bolik.2 trojan is an improved version of Win32.Bolik.1 and has qualities of a multicomponent polymorphic file virus," state the Doctor Web researchers who spotted the campaign.
Click to expand...

itman · Aug 19, 2019

Per URLVoid scan, appears Dr. Web is the only one blacklisting the web site.

Buddel · Aug 19, 2019

itman said: ↑

Per URLVoid scan, appears Dr. Web is the only one blacklisting the web site.
Click to expand...

According to VT, Dr. Web and Kaspersky are the only AV products blacklisting nord-vpn.club.

itman · Aug 19, 2019

Eset and Fortinet also now blacklist the web site.

xxJackxx · Aug 19, 2019

itman said: ↑

Per URLVoid scan, appears Dr. Web is the only one blacklisting the web site.
Click to expand...

URLVoid looks to be of limited value. I entered one of my boss' domains and it said last scan 7 years ago and as it is now on a different host, all of the info was out of date. No offense obviously, but it is likely I won't bother with it again.

itman · Aug 19, 2019

xxJackxx said: ↑

URLVoid looks to be of limited value. I entered one of my boss' domains and it said last scan 7 years ago and as it is now on a different host, all of the info was out of date. No offense obviously, but it is likely I won't bother with it again.
Click to expand...

Agreed. Always perform a rescan option when using it.

Also, it appears the engines it uses are employed with minimum scan settings; i.e. blacklist checking only. For example if you want a thorough scan of the web site using Quttera which I strongly recommend, you have to go to their web site and initiate the scan there.

guest · Feb 8, 2020

VSDC Download Link on CNET Compromised to Distribute Malware
February 7, 2020
https://www.technadu.com/vsdc-download-link-cnet-compromised-distribute-malware/91899/

The download link of the VSDC video editor software on the CNET’s Downloads webpage has been compromised by malicious actors, resulting in the downloading of thousands of infected installers. The hackers have set up a spoofed domain on “downloads[.]videosfotdev[.]com”, which contains the installer of the video editing software, but is also bundled with a trojan.

The discovery was made by the Dr. Web Antivirus team of researchers, and the malicious file is identified as “BackDoor.TeamViewer”. A script in the trojan enables the file to bypass the Microsoft Windows Defender protection and to establish communication with the C2 server.
From there, additional payloads and modules are fetched. The researchers have noticed an X-Key Keylogger, Predator The Thief stealer, SystemBC trojan-proxy, and a trojan for remote control over RDP protocol.

Those who have been following the news section here, you may remember that this is not the first time that VSDC becomes the target of malicious actors. Back on April 12, 2019, the same team of researchers discovered that hackers had replaced the original installer of the video editor with banking trojans.
Click to expand...

For a full list of the indicators of compromise that concern this campaign, you may take a look at this GitHub page.
Click to expand...

Dr.Web: Cybercriminals use CNET website to spread the infected VSDC installer

guest · Mar 26, 2020

Malware Disguised as Google Updates Pushed via Hacked News Sites
March 25, 2020
https://www.bleepingcomputer.com/ne...-google-updates-pushed-via-hacked-news-sites/

Hacked corporate sites and news blogs running using the WordPress CMS are being used by attackers to deliver backdoor malware that allows them to drop several second-stage payloads such as keyloggers, info stealers, and Trojans.

These landing pages are designed to look like a legitimate Google Chrome update page and are used by the attackers to instruct potential victims to download an update for their browser.
However, instead of a Chrome update, the targets will download malware installers that will infect their devices and will allow the operators behind this campaign to take control of their computers remotely.
Hacking group behind several campaigns
The group behind this attack "was previously involved in spreading a fake installer of the popular VSDC video editor through its official website and the CNET software platform," as Doctor Web researchers revealed in their analysis published today.

They are also behind an attack that used a fake NordVPN website to infect targets with the Bolik banking Trojan behind the scenes, while actually installing the NordVPN client to avoid raising any suspicions.
Click to expand...

"It is worth noting that the downloaded file has a valid digital signature identical to the signature of the fake NordVPN installer distributed by the same criminal group."
More information on the infection mechanism used during this attack is available within Doctor Web's report, while indicators of compromised (IOCs) can be found on GitHub.
Click to expand...

Dr.Web: Cybercriminals spread dangerous backdoor as Google Chrome update

Upon launching the installer, it creates a folder in the %userappdata% directory that contains files for the TeamViewer remote control application and unpacks two password-protected SFX archives.
One archive contains two components: a malicious msi.dll library, which allows one to establish an unauthorised connection to an infected computer and a batch file for launching the Chrome browser with Google[.]com start page.

The second archive carries a script for bypassing Microsoft Windows’s built-in anti-virus protection.
Click to expand...

Log in or Sign up

Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

itman Registered Member

Buddel Registered Member

itman Registered Member

xxJackxx Registered Member

itman Registered Member

guest Guest

guest Guest

Log in or Sign up

Popular Software Site Hacked to Redirect Users to Keylogger, Infostealer, More

guest Guest

Rasheed187 Registered Member

guest Guest

guest Guest

itman Registered Member

Buddel Registered Member

itman Registered Member

xxJackxx Registered Member

itman Registered Member

guest Guest

guest Guest

Useful Searches