VLC has been a popular choice for playing any type of audio or video on multiple platforms. However, thanks to a Chinese cybercrime syndicate, the program may not be safe from malicious software that can harm your computer.
A Chinese hacking group, known as Cicada aka Stone Panda or APT10 has reportedly been using VLC on Windows systems to spy on government and other high-level organizations. The group has also targeted NGOs, legal agencies, and religious organizations, spread across the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, Japan, and Italy.
An industry leader in cybersecurity, Symantec claims that the hackers take a clean version of VLC, drop a malicious file into the player’s export functions, and use a VNC remote-access server to fully take over a compromised system. Hacking tools such as the group’s exclusive fileless malware Sodamaster backdoor or other custom loaders are then installed onto a compromised computer, which scans the targeted system, downloads more malicious programs, and obscures communication systems.
Symantec believes that the attacks began last year after unpatched vulnerabilities in the Microsoft Exchange server were exploited and may still be ongoing. In an official blog post, Symantec states:
While Cicada has been linked to espionage-style operations dating back to 2009, the earliest activity in this current campaign occurred in mid-2021, with the most recent activity seen in February 2022, so this is a long-running attack campaign that may still be ongoing.
The attacks are most likely being carried out in an act of espionage, with Symantec confirming Cicada previously tried to invade the defense, aviation, shipping, biotechnology, and energy sectors. Symantec writes:
Cicada’s initial activity several years ago was heavily focused on Japanese-linked companies, though in more recent times it has been linked to attacks on managed service providers (MSPs) with a more global footprint. However, this campaign does appear to indicate a further widening of Cicada’s targeting.
The cybersecurity firm also reports tools such as those used for RAR archiving, System/Network discovery, WMIExec, NBTScan, etc. may also have been utilized to carry out the attack campaign. In some cases, the attackers even spent up to nine months on the networks of some of their victims. Symantec states:
This is a long-running campaign from a sophisticated and experienced nation-state-backed actor that may still be ongoing, as the most recent activity we saw in this campaign was in February 2022. The targeting of multiple large organizations in different geographies at the same time would require a lot of resources and skills that are generally only seen in nation-state-backed groups, and shows that Cicada still has a lot of firepower behind it when it comes to its cyber activities.
