Everyone's favorite media player abused to launch malware attacks

Cybercriminals are using the popular VLC media player to distribute malware and spy on government agencies and adjacent organizations, cybersecurity researchers have warned.

As reported by BleepingComputer, a threat actor called Cicada (also known as Stone Panda and APT10) is targeting organizations in the government, legal, and NGO sectors, as well as some engaged in “religious activities”.

These organizations are mostly located in the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. Given that Japan has traditionally been Cicada’s main hunting ground, researchers are under the impression the group is broadening its horizons.

Broader attacks

Cicada also seems to be attacking a broader range of industries, as historically the group has focused on firms in healthcare, defense, aerospace, finance, maritime, biotechnology and energy sectors.

The malware used as part of this latest round of attacks does not have a name, but researchers from Symantec, who were responsible for the discovery, believe it’s being used for espionage.

Apparently, the threat actor, which seems to be of Chinese origin, used a known Microsoft Exchange server vulnerability to gain initial access. The campaign started in mid-2021 and could still be ongoing. 

Speaking to Bleeping Computer, Brigid O Gorman of Symantec said the attackers “side-loaded” the malware, using a clean version of VLC with a malicious DLL file in the same path as the media player’s export functions.

Besides the malware, Cicada also deployed a WinVNC server for remote control and the Sodamaster backdoor.

Among the data Cicada collects with its malware is system details and active processes. It can also download and run different payloads.

• Defend your premises from ransomware with the best ransomware protection services right now (opens in new tab)

Via BleepingComputer (opens in new tab)