Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks

Ashwin
Apr 11, 2022
Security
|
9

Last week, news began circling around that VLC was being abused by hackers to inject some malware. The issue came to light after Symantec published a report on its Security Threat Intelligence blog.

Hackers distributed a modified version VLC to launch a malware attack

The Broadcom-owned company, which makes Norton Antivirus, revealed that a group of hackers, which it claims are affiliated to the Chinese government, were conducting cyber-espionage campaigns targeting organizations across the world.

Symantec says that the campaign primarily targeted victims in government-related institutions or NGOs in education and religion, telecom, legal and pharmaceutical sectors. The malware attack campaign, called Cicada or APT10, was first tracked last year. It was active in February 2022, and could still be ongoing. Attackers are targeting victims via Microsoft Exchange Servers in unpatched system deployments, to gain access to their machines. The hackers use various tools in addition to a custom loader, and a backdoor called Sodamaster.

ADVERTISEMENT

Hackers distributed a modified version of VLC to use it for triggering a custom malware loader

One of these tools is a modified version of the popular open source media player, VLC. Symantec's Security Threat Intelligence blog mentions the following statement.

"The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines."

This statement's wording is quite confusing, and was misinterpreted by some blogs, who wrote that VLC is vulnerable and that hackers are using it to launch malware attacks. This is not correct, VLC is not the reason for the malware attacks like these websites allege. The rest of the report should be taken into context.

The second section of the report (highlighted in the image) mentions that attackers needed access to the victim machines, before they could launch the malware attack.  This was confirmed by a member of Symantec's Threat Hunter Team, in a statement released to Bleeping Computer. They said that some hackers took the clean version of VLC, added a malicious DLL file to it and distributed it, aka DLL side-loading. This file is located in the same folder as the export function's path, and is used by the attackers to launch a custom malware loader.

So it is evident there are at least two different requirements for this attack to happen: a compromised system, and a modified version of VLC (among the other tools that were used).

Is VLC safe to use?

Yes, it is. As long as you download VLC from the official website (or a trustworthy site), your computer should be safe from malware, because it does not contain the malicious DLL File used in these attacks.

When you download a program from a third-party site, and that website had stealthily embedded some files into the package, it is no longer an official release from the developer. It becomes a modified version that could potentially be malicious. When such files get circulated, people who use them are at the risk of attacks. Hackers use various tricks such as malvertising, e.g. use a popular program's icon to convince people into thinking they are downloading the original file, while in fact they are downloading a malware that could infect their system, and could even spread to other users.

If you are worried whether a program that you have could have been tampered with, you may want to upload the installer to an online service like VirusTotal, to confirm that it is safe to use. Another option is to verify whether the hash values to see if the checksum matches that of the official release. e.g. VLC lists its hash values on its archive site. Keep your operating system and antivirus software up-to-date, and use an ad blocker like uBlock Origin to minimize the chances of malware attacks.

Summary
Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks
Article Name
Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks
Description
Reports allege that VLC was used for malware attacks. Symantec says that hackers distributed a modified version of the program and exploited it for malware attacks
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. John G. said on April 11, 2022 at 2:37 pm
    Reply

    Shouldn’t it be easier to center the efforts on the malware DLL file in order to identify the problem itself? Thanks @Ashwin for the article! :]

    1. Ashwin said on April 11, 2022 at 2:47 pm
      Reply

      Yeah, Symantec’s article doesn’t explain it well. Modified-VLC + malicious DLL file are just one of the post-access tools that the hackers used, but they didn’t even bother to mention it in their paper.

      I wrote this article in response to some blogs claiming VLC is insecure and that it is the center of these malware attacks.

      1. John G. said on April 12, 2022 at 5:56 pm
        Reply

        Thanks @Ashwin for the explanation! :]

  2. wtf said on April 11, 2022 at 6:27 pm
    Reply

    And no mention of which DLL file to look out for, GREAT journalism.

  3. Safety First said on April 11, 2022 at 8:13 pm
    Reply

    You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.

    1. owl said on April 12, 2022 at 11:00 am
      Reply

      @Safety First,
      > You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.

      @Fox, is right.
      https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/#comment-4519225

      The biggest problem that runs through all of this is the ignorance and apathy of the end user. We need to learn to “Don’t rely on something”. In short, end-users themselves must self-learn and improve their knowledge and experience.
      For determining the authenticity of downloaded files, I find checksum and hash matching indispensable.
      Moreover, do not rely on VirusTotal.
      https://www.ghacks.net/2022/04/04/recover-windows-and-program-passwords-with-extpassword/#comment-4518862

      In addition, “VoodooShield” is beneficial, which locks down the system and blocks all executable code.
      https://www.ghacks.net/2022/04/02/microsoft-update-catalog-downloads-are-now-using-https/#comment-4518804
      “Unchecky”, which detects adware, is also helpful.
      Observing, analyzing, and judging for oneself is a prerequisite.

  4. Fox said on April 12, 2022 at 6:18 am
    Reply

    @Safety First:

    “You should never use any adblocking in your browser and always trust google/bing to show you the best and safest sites to get software, like download.com. Also, always leave all pre-checked options on while the installer is running, to ensure you get everything. Ignore any warnings, it’s just common silliness by the installer.”

    Are you being sarcastic or are you high?

    Most people should use a verified by Mozilla ad-blocker. You shouldn’t trust Google or Bing to show you what you should trust, they’re probably just showing you advertisements. Download.com? Are you serious? I wouldn’t touch that with a pole.

    Download.com’s history isn’t too bright:

    https://en.wikipedia.org/wiki/Download.com#Malware_distribution

    IDK what you mean about pre-checked options (because it sounds like you use Windows) as I use the Linux version, and there is usually only one option once it is installed, and that’s either for album art or some other type of remote function.

    Again, I hope you are being sarcastic, the information you provided is seriously flawed.

    As the article mentions, download VLC from their website and if possible verify checksums and/or gpg/pgp signed files.

    1. Yash said on April 12, 2022 at 10:57 am
      Reply

      @Fox

      @Safety First obviously is sarcastic in saying all that.

  5. Anonymous said on April 24, 2022 at 3:01 pm
    Reply

    @Safety First

    Don’t listen Safety First. You get troubles if you do as he told.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.