Chinese hackers have been using a media player to launch attacks.
The hacker group is affiliated with the Chinese government and uses a popular video player to install malicious software.
The activities have been traced to a hacker group called Cicada, which is also known as menuPass, Stone Panda, and Red Apollo. At least since 2006 Cicada has been around.
The victims of the attack have the ability to get all kinds of information. It can give knowledge on everything about the system, download files on command, and run processes. It is not uncommon for stealth attacks to take place on a large scale.
This campaign is thought to have been started for espionage. The targets involve a wide range of entities involved in legal, governmental, or religious activities. Non-governmental organizations have also been targeted. This activity has spread to entities across at least three continents.
The U.S., Hong Kong, India, Italy, and Canada are some of the targetted countries. Only one of the victims was from Japan. Japan has been targeted for cyberattacks many times in the past. The attackers were able to maintain the machine for up to nine months.
The file was clean even though it was used to deploy malicious software. A malicious DLL file was located in the place where the safe version of the media player was located. This is referred to as DLL side-loading, and it is not the only way in which this technique is used.
In previous attacks, the hacker team was connected to the custom loader used by Cicada. A Microsoft Exchange server was used to gain access to the networks that were breached. A WinVNC server was used to establish remote control over the affected systems.
There's more to the exploit than meets the eye. Sodamaster is a stealth exploit that runs silently in the system memory without requiring any files. It can delay execution at start up.
These attacks are dangerous, but not every user needs to be concerned. The media player was found to be clean, and the hackers seem to have a very targetted approach. It is important to stay on top of security where PCs are concerned.
The information was reported by Bleeping Computer. The cyberattacks may have started in mid-2021 and continued into February 2022. It is possible that this threat continues to this day.