Chinese Hackers Abuse VLC Media Player To Launch Malware Loader

Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader. BleepingComputer reports: The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents. This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006. Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity. Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems. The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020. Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution. The malware can also collect details about the system, search for running processes, and download and execute various payloads from the command and control server. [...] The attackers(TM) dwell time on the networks of some of the discovered victims lasted for as long as nine months, the researchers note in a report today.Read more of this story at Slashdot.
Click here to read full news..