According to the latest cybersecurity report VLC media player is being used by Chinese hackers to launch malware attacks on users. In a wide-ranging and sustained campaign, the hacking group Cicada is using VLC to hack Windows systems, targeting government organisations as well as NGOs as victims.
Symantec’s cybersecurity experts state, “A Chinese state-backed advanced persistent threat (APT) group is attacking organisations around the globe in a likely espionage campaign that has been ongoing for several months.”
The VLC media player is open source and does not require payment. It can play all types of media files. As a result, the hacking group is profiting from its fame. Cicada aka APT10 is a state-sponsored Chinese group that is launching malware for spying on the government, legal, religious, and non-governmental organisations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America.
It’s intriguing that Cicada’s initial activity centred on Japanese-linked companies several years ago, but it has since been linked to attacks on managed service providers (MSPs) with a more global footprint.
The Symantec cybersecurity experts say, the presence of a custom loader and custom malware believed to be used exclusively by the APT group on victim networks led to the attribution of this activity to Cicada.
The initial activity on victim networks is seen on Microsoft Exchange Servers in several cases, suggesting that a known, unpatched vulnerability in Microsoft Exchange may have been exploited in some cases to gain access to victim networks. It has also been seen that the attackers use a variety of tools, including a custom loader and the Sodamaster backdoor, once they have successfully gained access to the victim machines. The loader used in this campaign was previously used in a Cicada attack.
Moreover, Sodamaster is a well-known Cicada tool that this group is thought to use exclusively. It’s a fileless malware that can evade detection in a sandbox by looking for a registry key or delaying execution; enumerating the username, hostname, and operating system of targets; searching for running processes, and downloading and executing additional payloads. It can also obfuscate and encrypt traffic before sending it back to its command-and-control (C&C) server. Cicada has been using this powerful backdoor since at least 2020.
Using a custom Mimikatz loader, the attackers have also been seen dumping credentials. This version of Mimikatz includes mimilib.dll, which collects credentials in plain text for any user accessing the compromised host and maintains them across reboots.
The attackers also use the legitimate VLC Media Player to launch a custom loader via the VLC Exports function, as well as the WinVNC tool to remotely control victims’ computers.
Government-related institutions or non-governmental organisations (NGOs) appear to be the primary targets of this campaign, with some of these NGOs working in the fields of education and religion. In addition, there were victims in the telecommunications, legal, and pharmaceutical industries. In addition to this, the victims are from a variety of countries, including the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also only one victim in Japan, which is noteworthy given Cicada’s previous focus on Japanese-linked businesses.
For the latest gadget and tech news, and gadget reviews, follow us on Twitter, Facebook and Instagram. For newest tech & gadget videos subscribe to our YouTube Channel. You can also stay up to date using the Gadget Bridge Android App. You can find the latest car and bike news here.
