Chinese hackers use VLC Media Player to run malware

Daniel ZimmermannApril 7, 2022

0 150 2 minutes read

Symantec security researchers have discovered a malicious campaign by Chinese hackers who use VLC Media Player to launch a custom malware loader on victims’ systems.

Experts write that the detected activity is obviously associated with the Cicada hack group (aka menuPass, Stone Panda, Potassium, APT10, Red Apollo), known to experts for more than 15 years, since 2006. This group usually engages in espionage, attacking various organizations involved in government, legal and religious activities, as well as non-profit organizations on at least three continents.

The current Cicada campaign starts in 2021 and highlights that it was still active in February 2022.
According to Symantec, the hackers gained initial access to some of the hacked networks through Microsoft Exchange, indicating that the attackers exploited some known vulnerability.

However, what caught the attention of experts was what happened after gaining access to the target machine: the attackers exploited the popular VLC media player to deploy a custom bootloader on compromised systems.

The attackers use a clean version of VLC Media Player with a malicious DLL file located in the same path as the media player’s export functions. This method is known as “side-loading” and is widely used by hackers to load malware into legitimate processes to hide malicious activity.analysts said.

In addition to the mentioned bootloader, which does not have its own name, although it was also used in previous Cicada attacks, the attackers also deployed a WinVNC server on compromised systems to gain remote control over victims’ machines.

In addition, the hackers used the Sodamaster backdoor, a tool that has been used only by Cicada since at least 2020. Sodamaster runs in system memory, thus avoiding detection, and looks for traces of the sandbox in the registry or delays its execution. Also, the malware is able to collect information about the system, search for running processes, download and execute various payloads from the control server.

Many of the organizations targeted by this campaign are government-affiliated or non-profit organizations engaged in educational or religious activities. Companies from the telecommunications, legal and pharmaceutical sectors also became victims.

The researchers highlight the wide geography of this Cicada campaign, which covers the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro and Italy. It should be noted that among the victims there is only one victim from Japan, although the country has been the focus of Cicada for many years.

Compared to the group’s previous attacks, which were mainly focused on companies associated with Japan, this time the attackers have significantly expanded their range of interests.

Let me remind you that we also reported that Chinese hackers use a new backdoor to spy on the country’s government from Southeast Asia, and that FireEye CEO Blames Chinese Hackers for Indiscriminate Cyberattacks on Microsoft Exchange.

Sending