Yet another attempt by hackers to drop malware through CNET’s download section.
The Russian cyber security firm Dr. Web has revealed it caught hackers using the CNET website to spread nasty malware through its software download section.
According to researchers, they identified a download link of a popular video player – VSDC – to be compromised on its CNET page. The malware campaign worked in a way that when users headed to download the software, they did indeed get the original program alongside but only this time it had been modified to include malicious programs.
How this works is through a two-fold process. Firstly, when the user clicks on the link, it redirects them to downloads[.]videosfotdev[.]com “which is a spoofed domain name controlled by hackers.” This then results in the user downloading a modified installation setup “but with a valid digital signature,” explained Dr. Web.
According to Dr. Web’s blog post, who receives this redirection though depends on one’s location therefore those not targeted will end up on the original site.
Secondly, coming to the process in itself, two additional folders are created in a directory %userappdata% apart from the original editor’s files. Out of these two, one of them contains legitimate files of Teamviewer’s application. The second one though contains .dll files known as “BackDoor.TeamViewer.”
This amounts to a trojan which helps the malware thwart’s Microsoft’s Windows Defender and connect to its command and control server. Yet, additional payloads are also used comprising of X-Key Keylogger, Predator The Thief stealer, SystemBC trojan-proxy, and a trojan for remote control over RDP protocol.
Researchers further noted that one of the malicious repositories also dropped a hacked NordVPN installer. It is worth mentioning that lately, hackers have been using NordVPN’s name to carry out malware attacks. Last year, hackers developed a clone version of the official NordVPN website to spread Bolik banking trojan.
On the other hand, VSDC acknowledged the issue and used Dr. Web’s comment section to address the issue.
Thank you, Dr.Web team, for prompt warning and cooperation! Since yesterday the download file has been restored to the legitimate one and all the corresponding security measures have been taken, VSDC said.
If you have downloaded anything from CNET you should run a scan with your anti-virus software or use VirusTotal. For now, the threat has been neutralized by Doctor Web but this is not the end. Earlier in April 2019, we saw a similar incident occurring with VDSC’s site being compromised infecting over 600 users.
However, despite that, this episode has repeated itself raising questions on whether the software developer is going to take the security of its users seriously. For those users who have VDSC on their computer, it is advised that they scan the program’s files using an anti-virus scanner to make sure their system is safe.