Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks
Last week, news began circling around that VLC was being abused by hackers to inject some malware. The issue came to light after Symantec published a report on its Security Threat Intelligence blog.
The Broadcom-owned company, which makes Norton Antivirus, revealed that a group of hackers, which it claims are affiliated to the Chinese government, were conducting cyber-espionage campaigns targeting organizations across the world.
Symantec says that the campaign primarily targeted victims in government-related institutions or NGOs in education and religion, telecom, legal and pharmaceutical sectors. The malware attack campaign, called Cicada or APT10, was first tracked last year. It was active in February 2022, and could still be ongoing. Attackers are targeting victims via Microsoft Exchange Servers in unpatched system deployments, to gain access to their machines. The hackers use various tools in addition to a custom loader, and a backdoor called Sodamaster.
Hackers distributed a modified version of VLC to use it for triggering a custom malware loader
One of these tools is a modified version of the popular open source media player, VLC. Symantec's Security Threat Intelligence blog mentions the following statement.
"The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines."
This statement's wording is quite confusing, and was misinterpreted by some blogs, who wrote that VLC is vulnerable and that hackers are using it to launch malware attacks. This is not correct, VLC is not the reason for the malware attacks like these websites allege. The rest of the report should be taken into context.
The second section of the report (highlighted in the image) mentions that attackers needed access to the victim machines, before they could launch the malware attack. This was confirmed by a member of Symantec's Threat Hunter Team, in a statement released to Bleeping Computer. They said that some hackers took the clean version of VLC, added a malicious DLL file to it and distributed it, aka DLL side-loading. This file is located in the same folder as the export function's path, and is used by the attackers to launch a custom malware loader.
So it is evident there are at least two different requirements for this attack to happen: a compromised system, and a modified version of VLC (among the other tools that were used).
Is VLC safe to use?
Yes, it is. As long as you download VLC from the official website (or a trustworthy site), your computer should be safe from malware, because it does not contain the malicious DLL File used in these attacks.
When you download a program from a third-party site, and that website had stealthily embedded some files into the package, it is no longer an official release from the developer. It becomes a modified version that could potentially be malicious. When such files get circulated, people who use them are at the risk of attacks. Hackers use various tricks such as malvertising, e.g. use a popular program's icon to convince people into thinking they are downloading the original file, while in fact they are downloading a malware that could infect their system, and could even spread to other users.
If you are worried whether a program that you have could have been tampered with, you may want to upload the installer to an online service like VirusTotal, to confirm that it is safe to use. Another option is to verify whether the hash values to see if the checksum matches that of the official release. e.g. VLC lists its hash values on its archive site. Keep your operating system and antivirus software up-to-date, and use an ad blocker like uBlock Origin to minimize the chances of malware attacks.
I have been trying to follow up with your company for the past 10 days without any luck, I have sent you completed documentation as well.
Could you please tell me what is going on? I have attached all documents again, I hope to hear back from you soon.
Thank you
@Safety First
Don’t listen Safety First. You get troubles if you do as he told.
@Safety First:
“You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.”
Are you being sarcastic or are you high?
Most people should use a verified by Mozilla ad-blocker. You shouldn’t trust Google or Bing to show you what you should trust, they’re probably just showing you advertisements. Download.com? Are you serious? I wouldn’t touch that with a pole.
Download.com’s history isn’t too bright:
https://en.wikipedia.org/wiki/Download.com#Malware_distribution
IDK what you mean about pre-checked options (because it sounds like you use Windows) as I use the Linux version, and there is usually only one option once it is installed, and that’s either for album art or some other type of remote function.
Again, I hope you are being sarcastic, the information you provided is seriously flawed.
As the article mentions, download VLC from their website and if possible verify checksums and/or gpg/pgp signed files.
@Fox
@Safety First obviously is sarcastic in saying all that.
You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.
@Safety First,
> You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.
@Fox, is right.
https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519225
The biggest problem that runs through all of this is the ignorance and apathy of the end user. We need to learn to “Don’t rely on something”. In short, end-users themselves must self-learn and improve their knowledge and experience.
For determining the authenticity of downloaded files, I find checksum and hash matching indispensable.
Moreover, do not rely on VirusTotal.
https://www.ghacks.net/2022/04/04/recover-windows-and-program-passwords-with-extpassword/#comment-4518862
In addition, “VoodooShield” is beneficial, which locks down the system and blocks all executable code.
https://www.ghacks.net/2022/04/02/microsoft-update-catalog-downloads-are-now-using-https/#comment-4518804
“Unchecky”, which detects adware, is also helpful.
Observing, analyzing, and judging for oneself is a prerequisite.
And no mention of which DLL file to look out for, GREAT journalism.
Shouldn’t it be easier to center the efforts on the malware DLL file in order to identify the problem itself? Thanks @Ashwin for the article! :]
Yeah, Symantec’s article doesn’t explain it well. Modified-VLC + malicious DLL file are just one of the post-access tools that the hackers used, but they didn’t even bother to mention it in their paper.
I wrote this article in response to some blogs claiming VLC is insecure and that it is the center of these malware attacks.
Thanks @Ashwin for the explanation! :]