Users that have downloaded the VSDC multimedia editing software between 2019-02-21 and 2019-03-23, may have been infected with malware.

Users that have downloaded the VSDC multimedia editing software between 2019-02-21 and 2019-03-23, may have been infected with a banking trojan and an information stealer.

VSDC is a popular, free video editing and converting app and its website has over 1.3 million monthly visitors, for this reason, this incident may have potentially exposed a large number of people. The hackers already compromised the official website of VSDC in the past, in previous attacks they hijacked the download links to deliver malware to the victims.

In the latest attack, they embedded a malicious JavaScript code inside the VSDC website that was used to determine the visitor’s geolocation and replace download links for users from the UK, USA, Canada, and Australia

“Doctor Web researchers discovered that the official website of a well-known video editing software, VSDC, was compromised.” reads the blog post published by Dr. Web.

“The hackers hijacked download links on the website causing visitors to download a dangerous banking trojan, Win32.Bolik.2, and the Trojan . PWS . Stealer (KPOT stealer) along with the editing software.”

The Win32.Bolik.2 malware is a modular polymorphic file Trojan that has the ability to perform web injections, traffic intercepts, key-logging and stealing information from different bank-client systems.

At the moment, experts believe at least 565 people who downloaded the software were infected.

Attackers also delivered the KPOT Stealer, a variant of Trojan.PWS.Stealer, starting from March 22. The malware is able to steal information from web browsers, Microsoft accounts, several messenger services, and some other programs.



According to the researchers, 83 users were infected with the information stealer.

Unfortunately this isn’t the first time that the VSDC site has been hacked.

In July 2018, experts from Chinese security firm Qihoo 360 Total Security discovered that attackers hijacked the download links of the VSDC website.

The experts discovered that hackers hijacked download links on the websites in three different periods, the links were pointing to servers they were operating.

Below the details of the three different attacks:

June 18 – Hackers substituted download links with hxxp://5.79.100.218/_files/file.php

July 2 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php

July 6 – Hackers substituted download links with hxxp://drbillbailey.us/tw/file.php

At the time, hackers were serving the visitors the AZORult Stealer, X-Key Keylogger and the DarkVNC backdoor.

Users that had downloaded the software in the above between have to scan their system for malware using an up-to-date of the antivirus software.

Users are also recommended to change their passwords for banking websites and other services.

Pierluigi Paganini

( SecurityAffairs – hacking, VSDC)

Share this...

Linkedin Reddit Pinterest

Share On