| 关联规则 | 关联知识 | 关联工具 | 关联文档 | 关联抓包 |
| 参考1(官网) | |
| 参考2 | |
| 参考3 |
中国安全公司奇虎360上周发现了针对VSDC的攻击事件,VSDC是一家提供免费音频和视频转换和编辑软件的公司,最近受到了三次恶意软件攻击,时间分别为6月18日、7月2日和7月6日。第一次和第三次劫持事件的规模较大,影响了大多数用户。黑客改变了VSDC网站上的下载链接,这些链接启动了攻击者操作的服务器的下载。受害者收到伪装成VSDC软件的JavaScript文件。这个文件会下载一个PowerShell脚本,然后下载另外三个文件,一个infostealer,一个键盘记录器和一个远程访问木马(RAT)。信息输出器能够恢复Telegram帐户密码、Steam帐户密码、Skype聊天记录、Electrum钱包数据,还可以获取受害者PC的屏幕截图。所有收集的数据都会上传到攻击者的system-check.xyz服务器上。VSDC公司表示攻击是从立陶宛的IP185.25.51.133地址注册的。网站的所有源文件都已恢复,虚假的源文件已被删除。
Hackers have breached the website of VSDC, a popular company that provides free audio and video conversion and editing software.
Three different incidents have been recorded during which hackers changed the download links on the VSDC website with links that initiated downloads from servers operated by the attackers.
Qihoo experts said the first and third hijacks were the ones at a larger scale and affected the most users.
Users who downloaded VSDC software on those days have been infected with three different malware strains. Qihoo says victims received a JavaScript file disguised as VSDC software. This file would download a PowerShell script, which, in turn, would download three other files —an infostealer, a keylogger, and a remote access trojan (RAT).
The infostealer is capable of recovering Telegram account passwords, Steam account passwords, Skype chats, Electrum wallet data, and can also take screengrabs of the victim's PC. All collected data is uploaded on an attacker's server at system-check.xyz
The keylogger is nothing special, collecting keystrokes and uploading them to wqaz.site.
Qihoo describes the third file as a VNC module that grants the attacker control over an infected user's PC. But while Qihoo did not specifically identify this malware, Ivan Korolev, a security researcher with Dr.Web, says the file was a version of DarkVNC, a lesser known RAT.
To its credit and unlike many companies nowadays, VSDC admitted to the hacks in an email to Bleeping Computer.
Galkin added:
Download link swapped with: hxxp://5.79.100.218/_files/file.php
Second hack: July 2
Download link swapped with: hxxp://drbillbailey.us/tw/file.php
Third hack: July 6
Download link swapped with: hxxp://drbillbailey.us/tw/file.php
Users infected with three different malware strains
VSDC admits to breach, says it fixed its site
Attacks were registered from an IP address in Lithuania - 185.25.51.133
What has been done to cope with that:
1. All the source files of the site have been restored, the fake ones have been deleted.
All the passwords have been changed. As our experience has shown, 10-12 character passwords made of random characters are not complex enough, so now they have their length and complexity significantly increased.
2. The two-level authentication of access to the administrative part at the IIS server level has been introduced.
3. A special antivirus utility installed has been installed on the server that checks all the files for validity.
We’d like to assure all our users that all the required security and prevention measures have been taken and will be regularly updated. The access to the administrative server part will be regularly checked.
