Computer security researchers have uncovered the existence of a long-running malicious campaign by hackers associated with the Chinese government. They obviously exploit VLC Media Player to spread dangerous malware on the PC of their victims.
During these long years of career, the multimedia player VLC Media Player has been hijacked in spite of itself on numerous occasions by pirates. In 2017, for example, hackers tricked VLC users into creating malicious subtitles. In 2019, a critical security flaw allowed an attacker to execute arbitrary code remotely.
However, computer security researchers at Symantec have discovered the existence of a long-running malicious campaign by hackers with links to the Chinese government. This is the Cicada group, which has been operating for almost 15 years. The start of this operation was spotted in mid-2021 and was still active in February 2022. Symantec experts believe it is still ongoing currently.
Obviously, this campaign was launched at espionage purposes various entities involved in governmental, legal and religious actions as well as NGOs. According to the researchers, access to the targeted networks was made through a Microsoft Exchange server thanks to a known but unpatched vulnerability on the machines in question.
Also read: VLC 4.0 – VideoLAN is preparing a complete interface overhaul for 2021
Hackers use VLC to spread malware
After gaining access to the targeted PCs, the attacker deployed a modified version of VLC with a malicious DLL file. This technique, known as DLL sideloadinghas been used for many years by hackers to load malware into legitimate processes to conceal malicious activity.
To put it simply, some commands are common to many applications. However, to facilitate the development of apps, these commands are stored in libraries. When an app needs a particular command, it picks it up from the corresponding bookstore.
Using this technique, pirates are in fact content to replace the good bookstore with a fake one, which nevertheless responds to the same name and the same commands. But here, the function associated with a command is modified so as to launch a completely different command. In this specific case, spreading malware via the VLC media player. Specifically it would be the Sodamaster malware, which allows to collect system details, search for running processes and download/execute various payloads remotely.
Source: Bleeding Computer