Thursday, June 13, 2024

Chinese hackers use VLC media player to launch cyberattacks

Must read

Researchers have found that Chinese hackers have used VLC Media Player to launch cyber security attacks.

The hacker group, allegedly affiliated with the Chinese government, uses the popular video game player to deploy malware on the target computer.

Stock Depot / Getty Images

These activities have been traced to a hacker group called Cicada, which is also known by a long list of other names, such as menuPass, Stone Panda, APT10, Potassium, and Red Apollo. Cicada has been around for a long time – at least since 2006.

The malware deployed to the victims of the attack opens the door for hackers to obtain all kinds of information. It can provide knowledge of everything about the system, go through functional processes and download files on command, just by widening the possibility of abuse. Such covert attacks are not uncommon, but this one seems to have taken place on a large scale.

This campaign, involving the popular VLC Media Player, seems to have been started for spy purposes. According to a Bleeping Computer report, the targets involve a wide range of beings involved in legal, governmental or religious activities. Non-governmental organizations were also targeted. What is perhaps more surprising is that this activity has spread to entities across at least three continents.

Some of the target countries include the United States, Hong Kong, India, Italy, and Canada. Surprisingly, only one of the victims was from Japan. Cicada group has previously targeted Japan for its cyber attacks many times in the past. After the attackers gained access to the victim’s machine, they were able to keep it for up to nine months.

VLC Media Player.

Although VLC was exploited to deploy malware, the file itself was clean. It seems that a secure version of VLC has been combined with a malicious DLL file located on the site as the export functions of the media player. This is referred to as DLL side-loading, and Cicada is not alone in using this technique to upload malware into programs that are otherwise safe.

The usual charger used by Cicada was apparently seen in previous attacks, which were also connected to the hacker team. To first gain access to the networks that were broken, a Microsoft Exchange server was exploited. Additionally, a WinVNC server has been deployed as a means to establish remote control over the systems affected by the hidden malware.

There is more to the VLC exploitation than meets the eye. In addition to this, an exploit called Sodamaster was used, which works covertly in the system memory without requiring any files. It is able to avoid detection and can delay execution at startup.

While these attacks are certainly dangerous, not every VLC user has to worry. The media player itself has proven to be clean, and the pirates seem to have a highly targeted approach centered on certain creatures. However, it is always important to stay on top of security where computers are concerned.

The information comes from Symantec and has been reported by Blooming Computer. Symantec researchers have discovered that these cyber security attacks may have started in mid-2021 and continued into February 2022. However, it is entirely possible that this threat continues to this day.

Editors’ Recommendations


More articles

Latest article