APT

Witchetty APT used steganography in attacks against Middle East entities

A cyberespionage group, tracked as Witchetty, used steganography to hide a previously undocumented backdoor in a Windows logo.

Broadcom’s Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments.

The cyber espionage group Witchetty (aka LookingFrog) was first spotted by cybersecurity firm ESET in April 2022, the experts argue it is a sub-group of the China-linked TA410 group (aka APT10, Cicada, Stone Panda, and TA429)).

The APT group has been continuously improving its toolset by employing new malware in attacks aimed at governments, diplomatic missions, charities, and industrial/manufacturing organizations in the Middle East and Africa.

Witchetty’s operations were characterized by the use of two pieces of malware, a first-stage backdoor dubbed X4 and a second-stage modular malware known as LookBack.

Between February and September 2022, the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation.

The threat actors exploited the ProxyShell (CVE-2021-34473CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-26855) vulnerabilities to deploy web shells on public-facing servers before performing malicious actions, such as stealing credentials, moving laterally across networks, and drop addition malicious payload.

In recent attacks the group the group started using a previous undetected implant tracked as Backdoor.Stegmap, which relies on steganography to conceal the malicious payload in a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository. Hiding the malicious code within an image hosted on a trusted service allowed the attackers to evade detection.

“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.” reads the analysis published by Broadcom’s Symantec Threat Hunter researchers“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”

The implant supports the following commands:

CodeCommand
6Create a directory
7Remove a directory
8Copy files
9Move files
10Delete files
11Start a new process
12Download and run an executable from [REMOTE HOSTNAME]/master/cdn/site.htm
13Unknown (Possibly reading standard output from a process created by command 12)
14Terminate the process created by command 12
15Steal a local file
19Enumerate processes
20Kill a process
21Read a registry key
22Create a registry key
23Set a registry key value
24Delete a registry key

“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest.” the researchers concluded. “Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Witchetty)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

Recent Posts

Meta stopped covert operations from Iran, China, and Romania spreading propaganda

Meta stopped three covert operations from Iran, China, and Romania using fake accounts to spread…

16 hours ago

US Treasury sanctioned the firm Funnull Technology as major cyber scam facilitator

The U.S. sanctioned Funnull Technology and Liu Lizhi for aiding romance scams that caused major…

1 day ago

ConnectWise suffered a cyberattack carried out by a sophisticated nation state actor<gwmw style="display:none;"></gwmw><gwmw style="display:none;"></gwmw>

ConnectWise detected suspicious activity linked to a nation-state actor, impacting a small number of its…

1 day ago

Victoria’s Secret ‘s website offline following a cyberattack

Victoria’s Secret took its website offline after a cyberattack, with experts warning of rising threats…

2 days ago

China-linked APT41 used Google Calendar as C2 to control its TOUGHPROGRESS malware

Google says China-linked group APT41 controlled malware via Google Calendar to target governments through a…

2 days ago

New AyySSHush botnet compromised over 9,000 ASUS routers, adding a persistent SSH backdoor.

GreyNoise researchers warn of a new AyySSHush botnet compromised over 9,000 ASUS routers, adding a…

2 days ago