# Chinese hackers abuse VLC Media Player to launch malware loader **[bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/](https://www.bleepingcomputer.com/news/security/chinese-hackers-abuse-vlc-media-player-to-launch-malware-loader/)** Ionut Ilascu By [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) April 5, 2022 01:58 PM 1 Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader. The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents. This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006. ## Using VLC to deploy custom malware loader ----- The start of Cicada’s current campaign has been tracked to mid-2021 and was still active in February 2022. Researchers say that this activity may continue today. There is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server, indicating that the actor exploited a known vulnerability on unpatched machines. [Researchers at Symantec, a division of Broadcom, found that after gaining access to the](https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks) target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player. Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity. Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems. The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020. Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution. The malware can also collect details about the system, search for running processes, and download and execute various payloads from the command and control server. Several other utilities have been observed in this campaign include: RAR archiving tool - helps compress, encrypt, or archive files, likely for exfiltration System/Network discovery - a way for attackers to learn about the systems or services connected to an infected machine WMIExec - Microsoft command-line tool that can be used to execute commands on remote computers NBTScan - an open-source tool that has been observed being used by APT groups for reconnaissance in a compromised network The attackers’ dwell time on the networks of some of the discovered victims lasted for as long as nine months, the researchers note in a report today. ## A wider focus ----- Many of the organizations targeted in this campaign appear to be government-related or NGOs (involved in educational or religious activities), as well as companies in the telecommunications, legal, and pharmaceutical sectors. Symantec researchers highlight the wide geography of this Cicada campaign, which counts victims in the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. To note, only one victim is from Japan, a country that has been the focus of the Cicada group for many years. Compared to the previous targeting from this group, which focused on Japanese-linked companies, the victims in this campaign indicate that the threat actor has broadened its interest. While focused on Japanese-linked companies, Cicada has targeted in the past healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors. At least [two members of the APT10 threat group have been charged in the U.S. for](https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion) computer hacking activity to help the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau get intellectual property and confidential business information from managed service providers, U.S. government agencies, and over 45 technology companies. ## Related Articles: [BPFDoor: Stealthy Linux malware bypasses firewalls for remote access](https://www.bleepingcomputer.com/news/security/bpfdoor-stealthy-linux-malware-bypasses-firewalls-for-remote-access/) [Cyberspies use IP cameras to deploy backdoors, steal Exchange emails](https://www.bleepingcomputer.com/news/security/cyberspies-use-ip-cameras-to-deploy-backdoors-steal-exchange-emails/) [Trend Micro fixes bug Chinese hackers exploited for espionage](https://www.bleepingcomputer.com/news/security/trend-micro-fixes-bug-chinese-hackers-exploited-for-espionage/) [BPFDoor malware uses Solaris vulnerability to get root privileges](https://www.bleepingcomputer.com/news/security/bpfdoor-malware-uses-solaris-vulnerability-to-get-root-privileges/) [Hackers target Russian govt with fake Windows updates pushing RATs](https://www.bleepingcomputer.com/news/security/hackers-target-russian-govt-with-fake-windows-updates-pushing-rats/) [APT10](https://www.bleepingcomputer.com/tag/apt10/) [Backdoor](https://www.bleepingcomputer.com/tag/backdoor/) [China](https://www.bleepingcomputer.com/tag/china/) [Cicada](https://www.bleepingcomputer.com/tag/cicada/) [Microsoft Exchange](https://www.bleepingcomputer.com/tag/microsoft-exchange/) [VLC](https://www.bleepingcomputer.com/tag/vlc/) [VLC Media Player](https://www.bleepingcomputer.com/tag/vlc-media-player/) [Ionut Ilascu](https://www.bleepingcomputer.com/author/ionut-ilascu/) Ionut Ilascu is a technology writer with a focus on all things cybersecurity. The topics he writes about include malware, vulnerabilities, exploits and security defenses, as well as ----- research and innovation in information security. His work has been published by Bitdefender, Netgear, The Security Ledger and Softpedia. [Previous Article](https://www.bleepingcomputer.com/news/security/springshell-attacks-target-about-one-in-six-vulnerable-orgs/) [Next Article](https://www.bleepingcomputer.com/offer/deals/launch-your-own-wordpress-site-with-this-lifetime-hosting-deal/) ## Comments [noelprg4 - 1 month ago](https://www.bleepingcomputer.com/forums/u/1121194/noelprg4/) recently from GHacks.net - Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks: https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-amodified-version-of-vlc-and-exploited-it-for-malware-attacks/ Post a Comment [Community Rules](https://www.bleepingcomputer.com/posting-guidelines/) You need to login in order to post a comment [Not a member yet? Register Now](https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=register) ## You may also like: -----