Chinese hackers are using VLC

Chinese hackers are using VLC: The likely state-sponsored hacks began in 2021

Chinese hackers are using VLC: VLC is a super-popular media player for good reason: It’s free, open-source, and available on just about every platform 

imaginable. Plus, it can handle basically any audio or video file you throw at it. VLC is also light on resources, meaning it won’t slow down your Windows computer — unless, perhaps, it’s hiding malicious software. A new report indicates that’s entirely possible, due to the efforts of a notorious Chinese hacking gang.

Symantec’s cybersecurity experts say a Chinese hacking group called Cicada (aka Stone Panda or APT10) is leveraging VLC on Windows systems to launch malware used to spy on 

Chinese hackers are using VLC Media Player malware to launch the attack

Chinese hackers are using VLC Media Player for secretly spying on people. Here’s what you need to know about the malware attack.

governments and related organizations. Additionally, Cicada has targeted legal and non-profit sectors, as well as organizations with religious connections. The hackers have cast a wide net, with targets in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.

Chinese hackers use VLC media player to launch cyberattacks

According to Symantec, Cicada grabs a clean version of VLC and drops a malicious file alongside the media player’s export functions. It’s a technique that hackers frequently rely on to sneak malware into what would otherwise be legitimate software. Cicada then uses a VNC remote-access server to fully own the compromised system. They can then evade detection using hacking tools like Sodamaster, which scans targeted systems, downloads more malicious packages, and obscures communications between compromised systems and the hackers’ command-and-control servers.

The VLC attacks — which Symantec believes may be ongoing — began in 2021 after hackers exploited a known Microsoft Exchange server vulnerability. Researchers indicate that while the mysterious malware lacks a fun, dramatic name like Xenomorph or Escobar, they are certain it’s being used for espionage — Cicada’s focus hints that this guess is correct. While the group has gone after the healthcare industry in the past, it’s also been attacking the defense, aviation, shipping, biotechnology, and energy sectors.

China-Backed Hacking Group Cicada Is Using VLC Media Player for Cyberattacks. Here’s How

With plenty of funding and sophisticated tools and techniques, groups like Cicada continue to pose a serious threat to computer systems around the world. There are a number of steps that can be taken to help protect against state-sponsored hacking, including maintaining up-to-date security software, using strong passwords, and backing up important data. After all, no one wants to make the hackers’ jobs any easier for them.

The VLC media player is reportedly under Chinese malware threat

VLC, the open-source and free multimedia player, is among the most used applications across operating platforms. The VLC makes it easy for the users to play videos and audio files. The easy-to-use and operate platform can play almost every type of file. The VLC file size makes it compatible to use it conveniently even in low memory devices but the recent reports point out that VLC is being targeted by the Chinese hackers.

Chinese hackers abuse VLC Media Player to launch malware loader

Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader.

The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents.

This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.

Using VLC to deploy custom malware loader

The start of Cicada’s current campaign has been tracked to mid-2021 and was still active in February 2022. Researchers say that this activity may continue today.

There is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server, indicating that the actor exploited a known vulnerability on unpatched machines.

Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.

Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player’s export functions.

The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity.

Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems.

The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020.

Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution.




Leave a Reply

Your email address will not be published.