Cyber Incident Victim: VSDC
Date:
Jul 2018
Location:
Lithuania
Summary
A popular software provider's website was compromised in multiple incidents where attackers replaced legitimate download links with malicious ones redirecting to attacker-controlled servers. Users unknowingly downloaded JavaScript files masquerading as legitimate software, which executed PowerShell scripts to deploy three malware variants: an infostealer targeting credentials and cryptocurrency wallets, a keylogger capturing keystrokes, and a remote access trojan enabling unauthorized system control. The company responded by rebuilding its website infrastructure, enforcing stronger authentication measures including two-factor authentication and complex passwords, and implementing file integrity monitoring. Attackers reportedly originated their activities from a Lithuanian IP address during these breaches.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The VSDC website, a provider of free audio and video editing software, suffered three separate breaches between June 18 and July 6, 2018, where attackers systematically altered download links to distribute malware. The initial compromise occurred on June 18, redirecting users to a malicious IP address (5.79.100.218) hosting a file named "file.php." A second breach followed on July 2, with attackers substituting legitimate links to "drbillbailey.us/tw/file.php," a pattern repeated during the third intrusion on July 6. Security researchers from Qihoo 360 Total Security identified the July 2 and July 6 incidents as particularly severe due to their broader user impact. Visitors downloading VSDC software during these periods received a JavaScript file masquerading as legitimate software, which executed a PowerShell script to retrieve three distinct malware payloads: an infostealer targeting Telegram, Steam, and Skype credentials alongside Electrum cryptocurrency wallet data while capturing screenshots uploaded to "system-check.xyz"; a keylogger exfiltrating typed inputs to "wqaz.site"; and a suspected DarkVNC remote access trojan enabling unauthorized system control.
VSDC confirmed the breaches after Qihoo’s disclosure, attributing the attacks to an entity operating from the Lithuanian IP address 185.25.51.133. The company initiated remediation by rebuilding its compromised website infrastructure, enforcing password policies requiring 12 or more characters, implementing two-factor authentication for administrative access, and deploying server-side file integrity monitoring to detect unauthorized changes. Forensic analysis revealed the attackers leveraged the dormant "drbillbailey.us" domain—previously associated with unrelated infections—to host malicious scripts during the July intrusions. The incident exposed users to persistent credential theft, financial data compromise via wallet targeting, and potential remote surveillance through the deployed malware suite. No additional compromises were reported following the implementation of enhanced security controls.