Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks

Last week, news began circling around that VLC was being abused by hackers to inject some malware. The issue came to light after Symantec published a report on its Security Threat Intelligence blog.

The Broadcom-owned company, which makes Norton Antivirus, revealed that a group of hackers, which it claims are affiliated to the Chinese government, were conducting cyber-espionage campaigns targeting organizations across the world.

Symantec says that the campaign primarily targeted victims in government-related institutions or NGOs in education and religion, telecom, legal and pharmaceutical sectors. The malware attack campaign, called Cicada or APT10, was first tracked last year. It was active in February 2022, and could still be ongoing. Attackers are targeting victims via Microsoft Exchange Servers in unpatched system deployments, to gain access to their machines. The hackers use various tools in addition to a custom loader, and a backdoor called Sodamaster.

Hackers distributed a modified version of VLC to use it for triggering a custom malware loader

One of these tools is a modified version of the popular open source media player, VLC. Symantec's Security Threat Intelligence blog mentions the following statement.

"The attackers also exploit the legitimate VLC Media Player by launching a custom loader via the VLC Exports function, and use the WinVNC tool for remote control of victim machines."

This statement's wording is quite confusing, and was misinterpreted by some blogs, who wrote that VLC is vulnerable and that hackers are using it to launch malware attacks. This is not correct, VLC is not the reason for the malware attacks like these websites allege. The rest of the report should be taken into context.

The second section of the report (highlighted in the image) mentions that attackers needed access to the victim machines, before they could launch the malware attack.  This was confirmed by a member of Symantec's Threat Hunter Team, in a statement released to Bleeping Computer. They said that some hackers took the clean version of VLC, added a malicious DLL file to it and distributed it, aka DLL side-loading. This file is located in the same folder as the export function's path, and is used by the attackers to launch a custom malware loader.

So it is evident there are at least two different requirements for this attack to happen: a compromised system, and a modified version of VLC (among the other tools that were used).

Is VLC safe to use?

Yes, it is. As long as you download VLC from the official website (or a trustworthy site), your computer should be safe from malware, because it does not contain the malicious DLL File used in these attacks.

When you download a program from a third-party site, and that website had stealthily embedded some files into the package, it is no longer an official release from the developer. It becomes a modified version that could potentially be malicious. When such files get circulated, people who use them are at the risk of attacks. Hackers use various tricks such as malvertising, e.g. use a popular program's icon to convince people into thinking they are downloading the original file, while in fact they are downloading a malware that could infect their system, and could even spread to other users.

If you are worried whether a program that you have could have been tampered with, you may want to upload the installer to an online service like VirusTotal, to confirm that it is safe to use. Another option is to verify whether the hash values to see if the checksum matches that of the official release. e.g. VLC lists its hash values on its archive site. Keep your operating system and antivirus software up-to-date, and use an ad blocker like uBlock Origin to minimize the chances of malware attacks.

Symantec says that hackers distributed a modified version of VLC and exploited it for malware attacks