Broadcom’s Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments.
The cyber espionage group Witchetty (aka LookingFrog) was first spotted by cybersecurity firm ESET in April 2022, the experts argue it is a sub-group of the China-linked TA410 group (aka APT10, Cicada, Stone Panda, and TA429)).
The APT group has been continuously improving its toolset by employing new malware in attacks aimed at governments, diplomatic missions, charities, and industrial/manufacturing organizations in the Middle East and Africa.
Witchetty’s operations were characterized by the use of two pieces of malware, a first-stage backdoor dubbed X4 and a second-stage modular malware known as LookBack.
Between February and September 2022, the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation.
The threat actors exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-26855) vulnerabilities to deploy web shells on public-facing servers before performing malicious actions, such as stealing credentials, moving laterally across networks, and drop addition malicious payload.
In recent attacks the group the group started using a previous undetected implant tracked as Backdoor.Stegmap, which relies on steganography to conceal the malicious payload in a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository. Hiding the malicious code within an image hosted on a trusted service allowed the attackers to evade detection.
“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.” reads the analysis published by Broadcom’s Symantec Threat Hunter researchers. “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”
The implant supports the following commands:
|Create a directory
|Remove a directory
|Start a new process
|Download and run an executable from [REMOTE HOSTNAME]/master/cdn/site.htm
|Unknown (Possibly reading standard output from a process created by command 12)
|Terminate the process created by command 12
|Steal a local file
|Kill a process
|Read a registry key
|Create a registry key
|Set a registry key value
|Delete a registry key
“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest.” the researchers concluded. “Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.”
(SecurityAffairs – hacking, Witchetty)