[German]Security researchers from Symantec have tracked down a malware campaign (Cicada) that has been running for years. A Chinese state-affiliated hacker group is abusing legitimate applications such as VLC Player to inject malware into systems via DLL side-loading. The goal is to spy on the systems of victims working in government, legal, religious, and non-governmental (NGO) sectors on at least three continents.
Advertising
I first saw the reference at Bleeping Computer's colleagues, but then came across the following tweet from @BrigidOGorman of Ireland in my research, which links to this Symantec post.
The victims of the Cicada campaign, which emanates from the Chinese state-backed APT group (Advanced Persistent Threat, also known as menuPass, Stone Panda, Potassium, APT10, Red Apollo), include government, legal, religious and non-governmental organizations (NGOs) in several countries around the world, including Europe, Asia and North America. Security researchers are surprised by the large number of targets in this campaign and their geographic distribution. Cicada's initial activity several years ago focused heavily on companies with ties to Japan, while more recently attacks have targeted managed service providers (MSPs) with a more global presence. However, this campaign seems to indicate that Cicada is expanding its attack targets.
Cicada has been linked to espionage-like operations dating back to 2009. The earliest activity in the currently ongoing campaign was detected in mid-2021. The most recent activity was observed in February 2022, with the campaign running for a very long time and likely to continue, Symantec security researchers write.
Various tools are used
Once the attackers have successfully gained access to the victims' computers (can be done via email with an attachment), they use various tools. Among them, there is a custom loader (see also the following explanations) as well as the Sodamaster backdoor. The loader used in this current campaign was also used in a previous Cicada attack.
Advertising
Sodamaster is a known Cicada tool believed to be used exclusively by this group. It is a fileless malware that can perform multiple functions, including bypassing detection in a sandbox by searching for a registry key or delaying execution, listing the username, hostname and operating system of the targeted systems, searching for running processes, and downloading and executing additional payloads. It is also capable of obfuscating and encrypting the traffic it sends to its command-and-control (C&C) server. It is a powerful backdoor that Cicada has been using since at least 2020.
In the current campaign, the attackers also spy on credentials, including using a custom Mimikatz loader. This version of Mimikatz drops the mimilib.dll file to obtain credentials in plain text for any user accessing the compromised host and ensures that they are preserved even after a reboot.
DLL side-loading attack vector
The group uses various attack methods – for example, unpatched Microsoft Exchange servers are likely to be attacked. The attackers also exploit the legitimate VLC Media Player once they have access to the target machine. Different tools are used for the attack or malware loader. One attack method uses custom loader, which the attackers launch via VLC export function. Then use WinVNC tool to remotely control victim machines.
Bleeping Computer spoke with Brigid O Gorman of the Symantec Threat Hunter team. Gorman explained that the attacker uses a clean version of VLC with a malicious DLL file in the same path as the media player export functions. This technique is known as DLL side-loading and is often used by threat actors to load malware into legitimate processes and hide the malicious activity..
What is described as DLL side-loading (see also here), I have often discussed here in the blog under the term DLL hijacking. An attacker takes advantage of the fact that Windows looks for the referenced DLLs first in the folder of the program file – and only then in the Windows folders – when starting an application. If an attacker places a malicious DLL with the relevant name in the program folder, it is loaded instead of the desired Windows or program DLL. If a program is assigned administrative rights by the user, the malicious DLL is executed with these rights without the user noticing anything.
This attack vector can be abused especially when using portable applications or .exe installers to inject malware into a system. The search path for DLL loading can be specified by the software developer. But the standard Microsoft linkers or tools used to build software do not take this into account. And the hints to please make sure that a DLL hijacking is not usable, usually come to nothing (if I bring up the topic here in the blog, I get scolded in the worst case). Even Microsoft's developers are always up front about this lapse (see Sysinternals Disk2vhd v2.02 released) – even though there are internal best practice documents that state exactly that DLL hijacking is to be avoided.
Currently, however, it is still unclear to me in the above context how a malware can get administrator rights via the VLC player by DLL side-loading. There must be a write access right to the VLC player program folder. With a portable version one will not start the player however with administrator rights. Only the case where a VLC player installer is rolled out in the form of an .exe file and the malicious DLL is placed in the download folder allows administrative privileges.
Other tools used in this attack campaign are:
- RAR archiving tool – can be used to compress, encrypt or archive files, probably for exfiltration.
- System/Network Discovery – a way for attackers to find out which systems or services are connected to an infected computer.
- WMIExec – Microsoft command line tool used to execute commands on remote computers.
- NBTScan – an open-source tool that has been observed to be used by APT groups for internal reconnaissance of an infected network.
The victims of this campaign appear to be primarily government-related entities or NGOs (non-governmental organizations), with some of these organizations operating in the education and religious sectors. There have also been victims in the telecommunications, legal, and pharmaceutical sectors.
Victims are spread across a variety of regions, including the U.S., Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy. However, there is currently only one (discovered) victim in Japan, which is noteworthy. This is because Cicada had focused heavily on Japanese companies in the past. The attackers stayed on some victims' networks for up to nine months.
Similar articles:
Sysinternals Disk2vhd v2.02 released
AdwCleaner 8.0.6 closes again a DLL hijacking vulnerability
DLL hijacking vulnerabilities in Nirsoft tools
Realtek closes a DLL Hijacking Vulnerability in HD Audio driver
recently posted on ghacks.net – "Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks"
https://www.ghacks.net/2022/04/11/symantec-says-that-hackers-distributed-a-modified-version-of-vlc-and-exploited-it-for-malware-attacks/