Hackers caught using CNET website to spread nasty malware

Yet another attempt by hackers to drop malware through CNET’s download section that leaves a question mark on whether to download anything from CNET?

Yet another attempt by hackers to drop malware through CNET’s download section.

The Russian cyber security firm Dr. Web has revealed it caught hackers using the CNET website to spread nasty malware through its software download section.

According to researchers, they identified a download link of a popular video player – VSDC – to be compromised on its CNET page. The malware campaign worked in a way that when users headed to download the software, they did indeed get the original program alongside but only this time it had been modified to include malicious programs.

How this works is through a two-fold process. Firstly, when the user clicks on the link, it redirects them to downloadsvideosfotdevcom “which is a spoofed domain name controlled by hackers.” This then results in the user downloading a modified installation setup “but with a valid digital signature,” explained Dr. Web.

See: Fake VPN website delivering password-stealing malware

According to Dr. Web’s blog post, who receives this redirection though depends on one’s location therefore those not targeted will end up on the original site.

The screenshot provided by Dr. Web shows the download file available on CNET.

Secondly, coming to the process in itself, two additional folders are created in a directory %userappdata% apart from the original editor’s files. Out of these two, one of them contains legitimate files of Teamviewer’s application. The second one though contains .dll files known as “BackDoor.TeamViewer.”

This amounts to a trojan which helps the malware thwart’s Microsoft’s Windows Defender and connect to its command and control server. Yet, additional payloads are also used comprising of X-Key Keylogger, Predator The Thief stealer, SystemBC trojan-proxy, and a trojan for remote control over RDP protocol.

Researchers further noted that one of the malicious repositories also dropped a hacked NordVPN installer. It is worth mentioning that lately, hackers have been using NordVPN’s name to carry out malware attacks. Last year, hackers developed a clone version of the official NordVPN website to spread Bolik banking trojan.

On the other hand, VSDC acknowledged the issue and used Dr. Web’s comment section to address the issue.

Thank you, Dr.Web team, for prompt warning and cooperation! Since yesterday the download file has been restored to the legitimate one and all the corresponding security measures have been taken, VSDC said.

If you have downloaded anything from CNET you should run a scan with your anti-virus software or use VirusTotal. For now, the threat has been neutralized by Doctor Web but this is not the end. Earlier in April 2019, we saw a similar incident occurring with VDSC’s site being compromised infecting over 600 users.

See: Forbes Website Dropping Malware on Visitor’s PCs

However, despite that, this episode has repeated itself raising questions on whether the software developer is going to take the security of its users seriously. For those users who have VDSC on their computer, it is advised that they scan the program’s files using an anti-virus scanner to make sure their system is safe.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts
Read More

New SystemBC malware targets Windows PCs by evading detection

While finding and removing malware on your computer system may indeed be a joyous moment, there's a new malware out there that will give you a headache instead. To know why, a dive through is needed into SystemBC, a malware written in C++ that has been discovered by researchers at Proofpoint and dubbed so because the word is a part of the URI path found in one of the malware's advertisements.