China backed hackers using VLC player to target users: Report

Chinese government backed hacking group 'Cicada' (also known as APT 10) are now using VLC media player to carry out cyberattacks across the globe, says a report by Symantec Enterprise. 

VLC media player is an open-source and free-to-use media player software and streaming media server and is available for desktop operating systems and mobile platforms, such as Windows, Android (for smartphones), Apple’s iOS and iPadOS. As per protocol.com, VLC has since been downloaded more than 3.5 billion times until February 2021 and was thus one of the most popular free software projects until then (and even now).  

As per Symantec the attackers exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines. 

Brigid O Gorman of Symantec Threat Hunter Team was quoted as saying to Bleeping Computer that the attacker uses a ‘clean version of VLC’ with a malicious DLL (dynamic link library) file in the same path as the media player’s export functions. The technique of DLL side-loading is being rampantly carried out by threat actors to load malware into legitimate processes to hide the malicious activity, as stated by Gormon to the same portal.  

Symantec also revealed that other tools utilized in this attack campaign include:  

1.         RAR archiving tool - can be used to compress, encrypt, or archive files, likely for exfiltration.  

2.         System/Network discovery - a way for attackers to determine what systems or services are connected to an infected machine.  

3.         WMIExec - Microsoft command-line tool that can be used to execute commands on remote computers.   

4.         NBTScan - an open-source tool that has been observed being used by APT groups to conduct internal reconnaissance within a compromised network  

Symantec also revealed that victims in this campaign appear to primarily be government-related institutions or NGOs, with some of these NGOs working in the fields of education and religion. There were also victims in the telecoms, legal, and pharmaceutical sectors, as per its claims.  

“The victims are spread through a wide number of regions including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. There is also just one victim in Japan, which is notable due to Cicada’s previous strong focus on Japanese-linked companies. The attackers spent as long as nine months on the networks of some victims, as revealed by Symantec in its blogpost.