Chinese threat actor Cicada (a.k.a menuPass, Stone Panda, Potassium, APT10, RedApollo) has been linked to a recent campaign using VLC Media Player to deploy malware on networks around the world. Targeting various organizations, Cicada typically starts by exploiting unpatched vulnerabilities in Microsoft Exchange to gain access to the network. Once inside, they utilize a technique called side-loading, where they replace a DLL file in the same path as the export function on a clean version of VLC with a malicious DLL, which then loads malware into the legitimate process.
Symantec’s Threat Hunter Team, who identified the threat, has not named the attack. In an interview with Bleeping Computer, the Threat Hunter team reported that along with exploiting Exchange Server and side-loading VLC, Cicada also deploys WinVNC to gain remote control over compromised systems, as well as the Sodamaster backdoor. The Sodamaster backdoor is a file-less exploit that runs in the system memory and utilizes stealth techniques to avoid detection. Sodamaster is also capable of enumerating system information, downloading additional packages and executing them, as well as obfuscating and encrypting its traffic going out to its command & control server.
Update your Exchange Server: https://docs.microsoft.com/en-us/exchange/new-features/updates?view=exchserver-2019
Then read about Cicada’s attacks: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-china-ngo-government-attacks
