Chinese Hackers Abuse VLC Media Player To Launch Malware Loader

Security researchers have uncovered a long-running malicious campaign from hackers associated with the Chinese government who are using VLC Media Player to launch a custom malware loader. BleepingComputer reports: The campaign appears to serve espionage purposes and has targeted various entities involved in government, legal, and religious activities, as well as non-governmental organizations (NGOs) on at least three continents. This activity has been attributed to a threat actor tracked as Cicada (a.k.a. menuPass, Stone Panda, Potassium, APT10, Red Apollo) that has been active for more than 15 years, since at least 2006.

Brigid O Gorman of Symantec Threat Hunter Team told BleepingComputer that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity. Apart from the custom loader, which O Gorman said Symantec does not have a name but has been seen in previous attacks attributed to Cicada/APT10, the adversary also deployed a WinVNC server to gain remote control over victim systems. The attacker also executed the Sodamaster backdoor on compromised networks, a tool believed to be used exclusively by the Cicada threat group since at least 2020.

Sodamaster runs in the system memory (fileless) and is equipped to evade detection by looking in the registry for clues of a sandbox environment or by delaying its execution. The malware can also collect details about the system, search for running processes, and download and execute various payloads from the command and control server. [...] The attackers' dwell time on the networks of some of the discovered victims lasted for as long as nine months, the researchers note in a report today.

Re:

[Rosco P. Coltrane]

Crashing your GPU isn't a vulnerability. It's a bug (VLC, driver or otherwise), an incompatibility or some other technical problem. A vulnerability would be you running VLC and enabling bad dude to use it to grab your data, run a cryptocurrency miner or ransom-encrypt your drive.

Also, true nerds only watch videos in ASCII art. No GPU involved.

Re:Exploits

[jellomizer]

No causing hardware level crashes is a Vulnerability, while it is a bug too, having software able to put your hardware in an unexpected state, especially with say the GPU which accesses a lot of of its own memory and does processing. If it crashed, it may be prone to a type of buffer overflow attack, in which the attacker can access Video RAM data. Which on new systems, is much more in depth than just a screen shot, but a lot of extra unseen data as well)

Also depending on the use of the system, the GPU can be used for some high end computing that often exceeds the power of your CPU, due to massive parallelism. So you can have a process running on your GPU in the background that you might not pick right up.

Re:

[DarkRookie2]

n00b
I have the cathode rays shoot directly into my eyes.

Re:Exploits

[clovis]

It's another poorly written slashdot title.
A more accurate article title would be something like:
"Chinese hackers abuse Windows dll side loading on a variety of programs to launch malware "

And the first sentence of the article should say something like "after using other means to access target machines, dlls are inserted into application folders to abuse Windows dll side loading to launch memory resident only malware."

The way the article title is written, people might think because they don't use VLC, they can't be affected by this, and that's wrong.

Re:

[mspohr]

Again we are reminded of the joys of the steaming pile that is Windows.
You can't patch bad design and expect it to work.

Re:

[celticchrys]

This article says that the perpetrators use a "clean" version of VLC to exploit a weakness in Windows. The vulnerability here isn't with VLC. It is with Windows. You could never use VLC and fall victim to DLL sideloading attack.

Where from?

[quonset]

Since the article is light on details, are these people modifying VLC from the main download page, or are they setting up mirrors with the sabotaged file? The article mentions VLC being on servers. Does this mean the group puts it on the server or is someone internally doing this and if so, why? Why would you put a media player on a server?

So many questions, so few answers.

What sort of question is that?

[Anonymous Coward]

You're asking for facts? As if blaming "hackers" doesn't explain everything already?

What are you, some kind of nerd or something? How dare you ask for stuff that matters!

Re:

[jellomizer]

You leave your door unlocked, a robber goes into your house and steals stuff. the robber is caught. He is not going to win a defense well the door was unlocked, so they deserved what they got.

I like to run bare servers, however there is one server I operate that needs Office, because there are functionally that uses Offices interop functionality. And being management for decades have been tied to Microsoft is right, approach. Not being allowed to use all the other free, faster, more reliable, secure and b

Re:

[DarkRookie2]

Dynamic Link Library, the library file Windows primarily uses.

Re:

[Revek]

Those are files that hang out in the .wine directory.

Re:Where from?

[TheDarkMaster]

This is the new standard of the press: Lots of bombastic and scary words, no facts or details about what really happened. That I also wanted to know if the compromised version is the official one or if it comes from suspicious "download sites", but the reporter cares much more about trying to scare the average public.

Re:

[chill]

And you care more about snarky responses than getting those answers you claimed to want to know.

From the article:

...the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player's export functions. The technique is known as DLL side-loading and it is widely used by threat actors to load malware into legitimate processes to hide the malicious activity.

"Clean version" meaning the official one. DLL injection is a known issue [wikipedia.org] with Windows. Basic stuff revolves around the search path [github.io] for DLLs.

Why VLC? Probably because it is a portable app and can be "installed" on Windows without using the installer, plus it can be run from a command line without interaction.

Re:

[TheDarkMaster]

The article doesn't say shit about where the victims got this hacked version from, which is the crux of the matter. Even I can make a hacked VLC, the question is how this altered version is getting to the targets.

Re:

[chill]

You're intentionally being obtuse. Yes, the article isn't diagramming out the individual steps, but the answers are there.

There is evidence that some initial access to some of the breached networks was through a Microsoft Exchange server, indicating that the actor exploited a known vulnerability on unpatched machines.

Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.

The hackers installed it. Not just the DLL, but the entire VLC and DLL package. How'd it get to the targets? Known vulnerability on unpatched machines, most likely.

Re:

[Luckyo]

So VLC is not the one with a vulnerability, but Microsoft Exchange server is?

Re:

[snowshovelboy]

I read the article. The answers aren't there.

Re:

[snowshovelboy]

Hey, if you can quote me where they are, I'd love to see them.

Re:Where from?

[znrt]

You're intentionally being obtuse. Yes, the article isn't diagramming out the individual steps, but the answers are there.

no, it's all very muddy. using known apps as attack vector is common but is not the case here, as they had already gained access via an exchange exploit. at that point they could have installed literally anything. that they used that access to install a fresh copy of vlc and then a dll to sideloaded makes actually very little sense. what for? who was expected to use that vlc on a server? was this to distribute tainted copies of vlc to other machines? how?

these answers are not there and without them the whole story is nonsensical, besides "vlc" shouldn't even be in the headline. if something is obtuse here it's the article. plus you could use some manners too.

Re:

[SleepingEye]

Completely agree here. The article is incredibly misleading. They didn't abuse VLC, they abused other vulnerabilities. They could have easily "abused" their own command and control software.

Re:

[DarkOx]

Given who the target is; and who the threat actor is; I think its pretty safe to assume its a watering hole attack of some kind.

Re:

[snowshovelboy]

How does the DLL end up in the windows DLL search path, though? That's what we all want to know. DLL injection is a feature, not an exploit.

Re:

[celticchrys]

VLC isn't compromised. Windows has a weakness in it's design.

Re:

[enriquevagu]

The article mentions: after gaining access to the target machine the attacker deployed a custom loader on compromised systems with the help of the popular VLC media player.. So they get access to the machine first. At that point, you might be already compromised.

The loader based on VLC could be a way to simplify and obfuscate the insertion of the malware (for example, it is loaded when the legitimate user employs the application in a future time), but this is only speculation and it is not clear in the art

Re:

[AmiMoJo]

Seems to be the classic dodgy download site attack. 90s era technology.

I'd also question their assumption that because the loader is used by one group, anything using that loader is likely from the same group. They steal/buy each other's tech all the time. In recent years we have seen a lot of NSA and CIA code being used in malware from other countries, who doubtless would claim that it was evidence that the US was behind the attacks.

Re:Where from?

[brunes69]

The article is total shit because it has no reference or link to Symantec who is who actually uncovered the issue.

Here is the source:

https://symantec-enterprise-bl... [security.com]

Here is more details - basically the attack is based on a new DLL being dropped into the same path as VLC. Then the next time someone opens VLC, it will run this exploit. VLC does not need to be touched or modified.

What is described as DLL side-loading (see also here), I have often discussed here in the blog under the term DLL hijacking. An attacker takes advantage of the fact that Windows looks for the referenced DLLs first in the folder of the program file â" and only then in the Windows folders â" when starting an application. If an attacker places a malicious DLL with the relevant name in the program folder, it is loaded instead of the desired Windows or program DLL. If a program is assigned administrative rights by the user, the malicious DLL is executed with these rights without the user noticing anything.

This attack vector can be abused especially when using portable applications or .exe installers to inject malware into a system. The search path for DLL loading can be specified by the software developer. But the standard Microsoft linkers or tools used to build software do not take this into account. And the hints to please make sure that a DLL hijacking is not usable, usually come to nothing (if I bring up the topic here in the blog, I get scolded in the worst case). Even Microsoft's developers are always up front about this lapse (see Sysinternals Disk2vhd v2.02 released) â" even though there are internal best practice documents that state exactly that DLL hijacking is to be avoided.

Currently, however, it is still unclear to me in the above context how a malware can get administrator rights via the VLC player by DLL side-loading. There must be a write access right to the VLC player program folder. With a portable version one will not start the player however with administrator rights. Only the case where a VLC player installer is rolled out in the form of an .exe file and the malicious DLL is placed in the download folder allows administrative privileges.

Re:

[echo123]

Great explanation. Kudos!

And this is a DLL thing, so nothing to worry about, (for people who do not use Windows and VLC), as well. Cool.

Which reminds me of the joke: 'Microsoft Outlook is a wonderful email and scheduling client, and a rich source to attack'.

Re:

[robcohen]

VirusTotal says my just-installed executable is clean but notes the executable is signed with a known stolen, revoked, or invalid certificate. Does that mean the official download page for VLC isn't safe to use right now? Seems obvious but perhaps someone else who has more info can comment.

Re:

[gavin.bollard]

This is an awesome explanation. Can you check my thinking and let me know if I've got this right? The file is mimilib.dll and it may exist in windows but should NOT exist in "C:\Program Files (x86)\VideoLAN\VLC" If we run a detection for that file in the VLC folders across our networks and don't find it there, we can feel safe that we have not been affected.

Re: Where from?

[brunes69]

FYI I just copy/pasted that from the source.

The way I would detect this is simple... Download VLC. See what DLLs are SUPPOSED to be there. Alert if any others show up.

Re:

[celticchrys]

VLC here is "clean". A compromised machine uses VLC to load a dirty dll file, because Windows allows this, not because VLC is doing anything wrong. It is essentially a Windows flaw that the attackers are using VLC to trigger, just because VLC is very common on so many PCs. The same thing could happen with other apps.

Re:

[bobby]

I find most articles about vulnerabilities are devoid of details. Cynical me thinks such articles are sponsored by anti-malware companies.

A few thoughts, not definitive:

- VLC can run as a streaming media server.

- speculating: media files can be constructed that cause the media player to demand load, including through network, a necessary dll (codec, format translator, etc.) which ends up containing the malware. If I'm right and this is the mechanism, it would be much safer if the player asks the user if t

Go West - Life is peaceful there

[Vomitgod]

lets keep relying on china regardless of what they keep continuing to do....
again and again...again and again...again and again...again and again...again and again...again and again...

Re:

[Joce640k]

The US Government never did anything dirty like this. They all have blue eyes and eat their momma's apple pie three times a day.

Re:

[gtall]

Your argument: those guys are bad, but our guys are just as bad or worse. Hence those guys are not so bad. Brilliant.

Re:

[Zontar The Mindless]

I love how people who've nothing useful to say insist on saying it anyhow.

probably known for years

[argStyopa]

I know that I've reported for years "threat detected" responses on vlc by malwarebytes and I believe avg.

I guess they weren't false positives?

Source of DLL?

[sphealey]

Where does the compromised DLL come from? If the attacker can install DLLs in arbitrary directories it seems it is already game over whether the target is VLC or any other application.

Re:

[suss]

It wouldn't surprise me if some IoT device brought it in as payload... There's cheap internet-connected lamps now and lots of vulnerable older devices like webcams.

Apparently only affects computers with MS Windows

[jalvarez13]

No mention of Linux or MacOS in the article. To be fair, they do not mention Windows either, but they mention that "some initial access to some of the breached networks was through a Microsoft Exchange server", making me think that this article has a Microsoft-centered worldview.

Re:

[Ol Olsoc]

No mention of Linux or MacOS in the article. To be fair, they do not mention Windows either, but they mention that "some initial access to some of the breached networks was through a Microsoft Exchange server", making me think that this article has a Microsoft-centered worldview.

But since it's in a dll file, it's kind of a pretty good assumption assumption what OS it is on.

Re:

[DontBeAMoran]

Xbox Series X/S, right?

Re:

[Ol Olsoc]

Xbox Series X/S, right?

Commodore Vic 20.

Windows issue ...

[JasterBobaMereel]

...Not VLC -
Windows allows sideloading of DLL's
Windows allows the DLL to be put in the path
They found the attack was started via a known and unpatched bug in MS Exchange
They also found it used other programs as well as VLC including WMIExec a Microsoft tool ...

yeah, so what?

[jdharm]

Researchers at Symantec, a division of Broadcom, found that after gaining access to the target machine the attacker deployed a custom loader...

So the key component in this hack is "gaining access to the target".

If I have access to your machine, I own it. VLC is just one of eleventy-five million ways I could jack with it once I have access to it, so this is a non-story.

VLC One Small Component

[Hari Pota]

From The Symantec-Enterprise blog

"Other tools utilized in this attack campaign include: RAR archiving tool - can be used to compress, encrypt, or archive files, likely for exfiltration. System/Network discovery - a way for attackers to determine what systems or services are connected to an infected machine. WMIExec - Microsoft command-line tool that can be used to execute commands on remote computers. NBTScan - an open-source tool that has been observed being used by APT groups to conduct internal reconn

Linux and MacOS Binaries

[kopecn]

Are the Linux and macOS versions confirmed vulnerable as well?

This article doesn't answer an important question

[indytx]

How does the DLL get installed into the VLC directory? Is the original installer compromised, or is there another mechanism that allows the DLL to get installed?