Cicada, a hacking group reportedly backed by the Chinese government, is using the VLC media player to deploy a malicious malware loader as part of a long-running cyberattack campaign, security experts have discovered. .
In at least three continents, the campaign appears to be aimed at espionage and has targeted several groups involved in political, legal and religious activities as well as non-governmental organizations (NGOs). Hacking has been traced to threatening actor Cicada, also known as Menupas, Stone Panda, Potassium, Apt10 and Red Apollo, which has been active for more than 15 years.
Many of the organizations targeted in this campaign appear to be related to the government, as well as telecommunications, legal and pharmaceutical firms.
According to Symantec experts, the victims of the cicada expedition are in the United States, Canada, Hong Kong, Turkey, Israel, Montenegro, Italy and India. Only one of the victims is from Japan, which has long been a target of cicada gangs.
However, victims in this campaign have shown that the interests of the threat actor have diversified, in contrast to previous targeting, which focused on Japanese-linked companies. Cicada has previously targeted the healthcare, defence, aerospace, finance, marine, biotechnology, energy and government sectors.
Using VLC Media Player
According to the researchers’ findings, the current campaign of cicada began in the middle of last year and was also going strong in February 2022 and similar actions may continue. Apparently, there is evidence that the threat actor accessed some of the intruded networks through Microsoft Exchange Server, meaning that the hackers took advantage of a known vulnerability on unpatched devices.
Researchers at Symantec, a branch of American semiconductor manufacturing company Broadcom, found that after gaining access to the target PC, the attacker used the popular VLC media player to install a modified loader on compromised devices.
As reported, according to Brigitte O’Gorman of the Symantec Threat Hunter team, cybercriminals use a clean version of VLC with a malicious Dynamic-Link Library (DLL) file in the same location where the media player’s export works. Is. DLL side-loading is a technique used by threat actors to load malware into normal processes in order to hide their malicious behavior.
In addition to the proprietary loader, which according to O’Gorman has no name, but has previously been seen in Cicada/APT10 attacks, the adversary also used a WinVNC server to gain remote access to the victim’s system.
On the infiltrated network, the attacker additionally installed the Sodamaster backdoor, a tool believed to have been fully used by the Cicada threat group since at least 2020. Sodamaster operates in system memory and can remove or delay searching by scanning for sandbox environment prompts in the registry. Its execution.
Malware can also collect information about the system, look for running processes and download and run payloads from command and control servers.