VLC media player is being hiajcked to send out malware

By Scott Marlette Last updated Jan 12, 2023

Cybercriminals have been discovered abusing the popular VLC multimedia player to deliver Cobalt Strike beacons to targets in Australia.

The campaign includes SEO poisoning and the Gootkit loader malware (opens in new tab) and targets victims searching for healthcare institutions in Australia.

The malware was discoverd by Trend Micro, with described how the threat actors created a malicious website, designed to look like a forum, where a user shared a healthcare-related agreement document template inside a ZIP archive, in response to a query.

“Poisoning” search engine results pages

Then, in order to get the website to rank high on Google, they “poisoned” the search engine results pages by adding the link to the malicious site to as many articles and social media posts online, as possible.

Whenever a website is heavily linked to, Google’s algorithm perceives it as authoritative and pushes it higher on its results pages. In this campaign, the researchers found the malicious website ranking highly for medical-related keywords such as “hospital”, “health”, “medical”, and “agreement” – paired with the names of cities in Australia.

Victims that fall for the trick and download the malicious ZIP archive onto their endpoints would actually get Gootkit loader components which later drop a PowerShell script that downloads more malware onto the target device. Among the files the loader grabs is a legitimate, signed copy of the VLC media player and a malicious DLL file that, when triggered, deploys the Cobalt Strike beacon.

The VLC media player file is shown as the Microsoft Distributed Transaction Coordinator (MSDTC) service. If the user runs it, VLC will look for the DLL file and run it, infecting the device in what’s generally known as a side-loading attack.

Cobalt Strike is a commercial pentesting tool allowing the user to deploy an agent named ‘Beacon’ on the victim machine. Cybercriminals use it to scan the target network, move laterally, steal passwords and other sensitive data, and deploy more devastating malware. Cobalt Strike beacons are often followed up with a ransomware attack.

Via: BleepingComputer (opens in new tab)

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – [email protected]. The content will be deleted within 24 hours.