views
Cicada, a hacking group allegedly backed by the Chinese government, is using VLC Media Player to deploy a malicious malware loader as part of a long-running cyberattack campaign, security experts have discovered.
In at least three continents, the campaign appears to be aimed at espionage and has targeted numerous groups involved in political, legal, and religious activities, as well as non-government organisations (NGOs). The hacking has been traced to threat actor Cicada, also known as menuPass, Stone Panda, Potassium, APT10 and Red Apollo, that has been active for over 15 years.
Many of the organisations targeted in this campaign appear to be government-related as well as telecommunications, legal and pharmaceutical firms.
The Cicada campaign has victims in the United States, Canada, Hong Kong, Turkey, Israel, Montenegro, Italy and India, according to Symantec experts. Only one of the victims is from Japan, which has long been a target of the Cicada gang.
However, the victims in this campaign show that the threat actor’s interests have diversified, as opposed to the previous targeting, which focused on Japanese-linked companies. Cicada has also previously targeted healthcare, defence, aerospace, finance, maritime, biotechnology, energy, and government sectors.
USING VLC MEDIA PLAYER
According to findings by researchers, Cicada’s current campaign began in the middle of last year and was still going strong in February 2022 and similar actions may continue. Apparently, there is evidence that the threat actor gained access to some of the penetrated networks via a Microsoft Exchange server, implying that the hackers took advantage of a known vulnerability on unpatched devices.
Researchers at Symantec, an arm of American semiconductor manufacturing company Broadcom, discovered that after getting access to the target PC, the attacker used the popular VLC Media Player to install a modified loader on compromised devices.
As reported, the cybercriminals utilise a clean version of VLC with a malicious dynamic-link library (DLL) file in the same location as the media player’s export functions, according to Brigid O Gorman of Symantec Threat Hunter Team. DLL side-loading is a technique used by threat actors to load malware into normal processes in order to mask their malicious behaviour.
Apart from the proprietary loader, which according to O Gorman has no name, but has been seen in prior Cicada/APT10 attacks, the adversary also used a WinVNC server to obtain remote access over victim systems.
On infiltrated networks, the attacker additionally installed the Sodamaster backdoor, a tool thought to have been used solely by the Cicada threat group since at least 2020. Sodamaster operates in system memory and can elude discovery by scanning for sandbox environment cues in the registry or delaying its execution.
The malware can also gather information about the system, look for running processes and download and run payloads from the command and control server.
Read all the Latest Tech News and Breaking News here
Comments
0 comment