Everyone's favorite media player abused to launch malware attacks

VLC
(Image credit: VideoLAN)
Audio player loading…

Cybercriminals are using the popular VLC media player to distribute malware and spy on government agencies and adjacent organizations, cybersecurity researchers have warned.

As reported by BleepingComputer, a threat actor called Cicada (also known as Stone Panda and APT10) is targeting organizations in the government, legal, and NGO sectors, as well as some engaged in “religious activities”.

These organizations are mostly located in the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. Given that Japan has traditionally been Cicada’s main hunting ground, researchers are under the impression the group is broadening its horizons.

TechRadar needs yo...

We're looking at how our readers use VPNs with different devices so we can improve our content and offer better advice. This survey shouldn't take more than 60 seconds of your time. Thank you for taking part.

>> Click here to start the survey in a new window (opens in new tab) <<

Broader attacks

Cicada also seems to be attacking a broader range of industries, as historically the group has focused on firms in healthcare, defense, aerospace, finance, maritime, biotechnology and energy sectors.

The malware used as part of this latest round of attacks does not have a name, but researchers from Symantec, who were responsible for the discovery, believe it’s being used for espionage.

Apparently, the threat actor, which seems to be of Chinese origin, used a known Microsoft Exchange server vulnerability to gain initial access. The campaign started in mid-2021 and could still be ongoing. 

Speaking to Bleeping Computer, Brigid O Gorman of Symantec said the attackers “side-loaded” the malware, using a clean version of VLC with a malicious DLL file in the same path as the media player’s export functions.

Besides the malware, Cicada also deployed a WinVNC server for remote control and the Sodamaster backdoor.

Among the data Cicada collects with its malware is system details and active processes. It can also download and run different payloads.

Via BleepingComputer (opens in new tab)

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.