VLC Media Player Leveraged by Hackers to Distribute Malware Loader
The Threat Actors Employed DLL Side-Loading Techniques.
A lasting malicious campaign employed by threat actors linked to the Chinese government has been recently discovered by security experts. Its purpose is the launching of a custom malware loader by means of the VLC Media Player.
A Chinese state-backed advanced persistent threat (APT) group is attacking organizations around the globe in a likely espionage campaign that has been ongoing for several months. (…) Victims in this Cicada (aka APT10) campaign include government, legal, religious, and non-governmental organizations (NGOs) in multiple countries around the world, including in Europe, Asia, and North America. The wide number of sectors and geographies of the organizations targeted in this campaign is interesting. Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting. The attribution of this activity to Cicada is based on the presence on victim networks of a custom loader and custom malware that are believed to be exclusively used by the APT group.
Cicada Malicious Campaign: More Details
The current malicious campaign led by Cicada began in the middle of 2021 and was still going strong in February 2022. According to researchers, similar actions may continue now.
Specific evidence shows that the actor gained access to some of the penetrated networks via a Microsoft Exchange server, implying that the threat actors took advantage of a known vulnerability on unpatched devices.
The ones who published a report on this topic were the Symantec researchers. They discovered that after getting access to the target PC, the hacker used the popular VLC media player to install a modified loader on compromised devices.
The threat actor utilizes a clean version of VLC with a malicious DLL file in the same location as the media player’s export functions, according to Brigid O Gorman of Symantec Threat Hunter Team.
What is DLL side-loading? DLL side-loading is a technique used by threat actors to load malware into normal processes in order to mask malicious activity.
It seems that apart from the proprietary loader the hacker also used a WinVNC server to obtain remote access to victim systems.
Besides, the threat actor under discussion installed the Sodamaster backdoor on infiltrated networks. This tool is thought to have been used solely by the Cicada hacking group since at least 2020.
Sodamaster operates in system memory (fileless) and can elude discovery by scanning for sandbox environment cues in the registry or delaying its execution.
Sodamaster is a known Cicada tool that is believed to be exclusively used by this group. It is a fileless malware that is capable of multiple functions, including evading detection in a sandbox by checking for a registry key or delaying execution; enumerating the username, hostname, and operating system of targeted systems; searching for running processes, and downloading and executing additional payloads. It is also capable of obfuscating and encrypting traffic that it sends back to its command-and-control (C&C) server. It is a powerful backdoor that Cicada has been using since at least 2020.
What can the malware also do is gather system info, look for running processes, and download and run payloads from the command and control server.
What Other Utilities Have Been Identified?
Other utilities that have been identified as part of this campaign are the following:
- A RAR archiving program, which has the role to compress, encrypt and archiving files, actions believed to be performed for exfiltration purposes.
- Threat actors can use system/network discovery to learn about the systems or services linked to an infected workstation.
- WMIExec that is a command-line utility from Microsoft that may be used to run commands on distant systems.
- APT organizations have been spotted using NBTScan, an open-source application, for reconnaissance in a compromised network.
Who Is Targeted in This Cicada Campaign?
According to the experts, the attackers’ stay time on the networks of some of the detected victims extended up to nine months.
Apparently, the threat actors focused on government-related or non-governmental organizations (NGOs) (engaged in educational or religious activities), as well as telecommunications, legal, and pharmaceutical firms.
The Cicada campaign has victims in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy, according to Symantec experts.
It’s worth noting that only one of the victims is from Japan, which has long been a target of the Cicada gang.
Cicada has previously targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government while focusing on Japanese-linked corporations.