Cyber Incident Victim: VSDC
Date:
Feb 2019
Location:
United States of America
Summary
The website of a multimedia editor was compromised again, with attackers embedding malicious JavaScript to redirect download links for users in specific countries to a compromised site hosting trojanized software. This delivered a banking trojan capable of web injections, traffic interception, and keylogging, alongside an information stealer targeting browser data, Microsoft accounts, and messaging applications. Over 600 users were confirmed infected. The attackers exploited a vulnerability patched after the incident, with the compromise limited to website modifications; administrative systems and program files remained unaffected. The vendor restored legitimate downloads and implemented enhanced security measures following the breach.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The VSDC video editing software website experienced multiple security breaches between 2018 and 2019, with the most recent confirmed compromise occurring between February 21 and March 23, 2019. Attackers initially breached the site's administrative interface on three occasions in mid-2018 (June 18, July 2, and July 6), replacing legitimate download links with malicious JavaScript files that delivered AZORult Stealer, X-Key Keylogger, and DarkVNC backdoor malware. During the 2019 incident, hackers employed a different tactic by embedding malicious JavaScript code directly into the VSDC website. This script performed geolocation checks and substituted download links for visitors from the UK, USA, Canada, and Australia with compromised executables hosted on thedoctorwithin[.]com domain. The tampered files distributed during this campaign included a polymorphic banking Trojan (Win32.Bolik.2) capable of web injections, traffic interception, and keylogging, alongside the KPOT Stealer designed to harvest credentials from browsers, Microsoft accounts, and messaging applications.
Doctor Web researchers identified at least 565 systems infected with the banking Trojan and 83 with the info stealer during the 2019 breach period. The VSDC team acknowledged the attack occurred despite existing security measures, confirming the website was temporarily compromised but asserting administrative systems and core software files remained unaffected. After being notified by researchers, developers restored legitimate download links and patched the exploited vulnerability. They implemented an undisclosed "innovative protection algorithm" to prevent similar future attacks, though technical details were withheld for security reasons. The incident's impact was amplified by VSDC's substantial monthly traffic of approximately 1.3 million visitors, creating widespread potential exposure. No additional compromises were reported following the March 2019 remediation, though the repeated breaches demonstrated persistent targeting of the software distribution channel over multiple years.