It is more likely to be a Supply Chain Attack instead of a local network hijacking. This domain name hijacking is a global attack and has affected more than thirty countries.
The command and control URL of this remote control Trojan is hxxps://185.25.51.152:443. It is also being used in some bank account hacking Trojans. Hidden VNC is a well-known technology for hackers to create a new Windows desktop for hiding mouse and keyboard in victim’s computer. The third file is a Hidden VNC remote control Trojan. It records all keyboard actions and sends the record to hxxp://wqaz.site/log/index.php. These information will be sent to hxxp://system-check.xyz/index.php. It hijacks sensitive information including Telegram account / password, Steam account / password, Skype chat log, Electrum wallet and screenshot from victims’ computer. The files are also obfuscated for avoiding detection. The script downloads three execution files from the URL hxxp://185.25.51.133/_files/ by Powershell. The file has been obfuscated in order to avoid the detection by antivirus software. The cracked Free Vedeo Editor installer is not an execution file. In this attack, users were redirected to hxxp://5.79.100.218/_files/file.php (The 1st hijacking) or hxxp:///tw/file.php (The 2nd and 3rd hijacking) after clicking the button, and the cracked Video Editor installer would be downloaded. Under normal circumstances, click on the button “Download Video Editor” will be redireced to or for downloading the selected version of offical software. Normally, Free Video Editer is downloaded through a VSDC download page. It began at 9 am on July 6th with a larger hijacking scale. The third hijacking had the same domain name resolution as the second time. The scale was smaller than the first time and might be the testing for the follow-up action. On July 2nd at 10 am, the hacker changed the resolution of the domain name and started the second hijacking. The first replacement began at 17:30 on June 18th. The offical download links have been hijacked in three different periods. It is the most famous software and the most popular searched product of VSDC. The hijected download links ( and ) are Free Video Editor with high volume of visiting. VSDC’s official website is a top website in Alexa’s global ranking. The computer will be injected by theft Trojan, keylogger and remote control Trojan after the program is downloaded and installed. 360 Security Center discovered the download links of a famous audio and video editor, VSDC (), has been hijacked in official website.
0 kommentar(er)
