VSDC downloads delivered Bolik and KPOT

Doctor Web reported a second VSDC official-site compromise in 2019. This time the attack ran from 2019-02-21 to 2019-03-23 and used malicious JavaScript embedded in the VSDC website rather than a simple static link swap.

The script checked visitor geolocation and replaced download links for users in the United Kingdom, United States, Canada, and Australia. Native VSDC links were substituted with thedoctorwithin.com URLs for the video editor x64, video editor x86, and video converter installers.

The first payload was Win32.Bolik.2, a polymorphic banking trojan with web injection, traffic interception, keylogging, and bank-client theft features. On 2019-03-22, attackers switched the payload to KPOT Stealer, which targeted browsers, Microsoft accounts, messengers, and other stored credentials.

Doctor Web reported at least 565 Bolik infections and 83 KPOT downloads through the VSDC site. VSDC confirmed the site was briefly affected, said the administrative side and program files were not affected, and stated that the vulnerability had been detected and patched.

Motive

Financial Gain

Attribution

Group

Cause

Website Compromise

Transitive

No

Actor

Cybercriminal

User Impact

648

• The 2020 Dr.Web CNET/download.com case is not modeled here because the known compromised distribution point was a third-party download portal, not VSDC's own official website.

• VSDC Site Hacked Again to Spread Password Stealing Malwarebleepingcomputer.com
• The official website of a popular video editing software was infected with a banking trojannews.drweb.com