Chinese Hackers Operate VLC Media Player Malware to Launch a Cyberattack

Chinese hackers are utilizing VLC Media Player to spy on people secretly. VLC is a very popular media player used by most people. The reason is that it takes less space on PCs, loading time is faster, and works with almost every video format making it a popular one. Recently, a new report suggests that scammers are using its popularity to launch malware attacks on users.

According to a report by Symantec's cybersecurity researchers, a state-sponsored Chinese group called Cicada or APT10 is using VLC Media Player on Windows PCs to start malware for spying on the government, legal, religious, telecom, pharmaceutical and non-governmental organizations (NGOs) in countries across the globe, including in Europe, Asia, and North America. The victims of Cicada's cyberattackare proliferating across the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, Italy and Japan.

According to the report, the cyber attackers use the licit VLC Media Player by launching a custom loader via the VLC Exports function. They actually prowl malware on legitimate software and then they use the WinVNC tool for remotely controlling victims' systems. As soon as the attackers gained access to victims' systems, they deploy various different tools, which includes a custom loader and the Sodamaster backdoor, which is a fileless malware that is competentin multiple functions, such as eluding detection in a sandbox by checking for a registry key or delaying execution, summarizing the username, hostname, and operating system of selected systems, digging for running processes, and downloading and executing supplementary payloads. According to the report, the tool is also capable of complicating and encrypting traffic that it sends back to its command-and-control (C&C) server.

Cicada's attack began in mid-2021 but their activity has been noticed recently in February 2022 wherein the hackers used an unpatched vulnerability in Microsoft Exchange Servers to gain access to user networks. Few researchers believe that Cicada is using malware using VLC media players for spying on its victims. This kind of attack on the pre-defined victims, deploying various tools and also observing the target pattern of Cicada's past activity, clearly indicates that this campaign is espionage.