Watering Hole Attack via VSDC official website

Delaware, USA – July 12, 2018 – Unknown hackers compromised http://www.videosoftdev.com and several times replaced download links on VSDC video editor redirecting users to attackers’ server. The last replacement occurred on July 6, and it was found by experts from Qihoo 360 Total Security. The investigation revealed that similar attacks also occurred on June 18 and July 2, and this campaign affected users from 30 countries worldwide.
Trying to download the video editor, the user received a JavaScript file disguised as a VSDC installer. After execution, it downloaded the PowerShell script that installed three different malware samples: a simple keylogger, an infostealer that can harvest credentials from a number of applications and take screenshots, as well as RAT DarkVNC. DarkVNC trojan was discovered in November 2017, it is similar in its capabilities to the HVNC, but it also has additional functions, for example, it can disable content process sandboxing.
The VideoSoftDev administration has already taken measures to restore content and the normal operation of the site, as well as strengthened its security. There are no details about the method of hacking, but it can be assumed that adversaries brute forced the administrative account. Watering hole attacks are usually carried out by experienced hacker groups and it is difficult to detect them. Last year, there were a number of successful attacks using this technique, such as NotPetya or BadRabbit. One of the reasons for the success is the vulnerability of web resources, which require constant monitoring. Web Application Security Framework for ArcSight can help your SIEM to detect breach attempts and inform the SIEM administrator about any suspicious activity associated with web applications.