Rewterz Threat Alert – Witchetty APT Group Hides Backdoor Malware In Windows Logo – Active IOCs

Severity

High

Analysis Summary

Researchers discovered the Witchetty cyber espionage threat actor group, which employs steganography to conceal backdoor malware in the Windows logo in its latest campaign. The gang attacked governments in the Middle East through the backdoor.

Steganography is the technique of concealing data within non-secret, public information or computer files, such as an image, in order to avoid discovery.

Witchetty is believed to have close links to the Chinese threat actor APT10. The gang is also thought to be part of the TA410 operatives (aka APT10, Stone Panda), the group previously connected to attacks on US energy companies.
The group’s current cyberespionage campaign, which targeted two governments in the Middle East and an African stock market, began in February 2022 and is still underway.

The hackers updated their toolset for this campaign to target various vulnerabilities, and they employed steganography to shield their malicious payload from antivirus software.
Two pieces of malware, a first-stage backdoor called X4 and a second-stage modular malware called LookBack, were used in the latest Witchetty activities.

Prior to carrying out malicious actions like stealing credentials, moving lateral across networks, and dropping additional malicious payload, the threat actors first gain initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains.

The gang launched their campaign by utilizing a previously unidentified implant known as Backdoor.Stegmap, a steganography-based malware that hides the malicious payload in a bitmap picture of an outdated Microsoft Windows logo placed on a GitHub repository. The attackers were able to avoid detection by hiding the malicious code behind a picture uploaded on a trustworthy service.

“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.”

source: The payload is hidden under the Windows logo.

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. “

According to them, 
“Downloads from reputable domains like GitHub are significantly less likely to trigger red flags than downloads from an attacker-controlled command-and-control (C&C) server.”

The following commands are supported by the implant:

In the campaign identified, the hackers depend on last year’s vulnerabilities to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.
 

Impact

• Cyber Espionage
• Exploitation of Vulnerabilities
• Network Breach

Indicator Of Compromise

Domain Name

• a[.]bigbluedc[.]com

IP

• 5[.]252[.]176[.]3
• 185[.]225[.]19[.]55
• 153[.]92[.]1[.]125
• 194[.]180[.]174[.]254

MD5

• 8c363e07c58cc34a18c80f98c96ea4d8
• b9c8eb182f7a7e8548e9a4dc2dd563e3
• a917237f153602467abd15f2cedd8f4a
• e69aec48e100aa1b13d8945a1110f9a3
• 12fc86065d3c6f14414574e1b47bec91
• 6af145ae905a82bb2f87cf6d77996cfa
• a87f98b83db05534ded4cf78f2109597

SHA-256

• d3c62b920d3e5a6ea12ec59512fe26fb58eb5a19433b10dbe36201a3fc158998
• 73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584
• acc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b
• f91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d
• e7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38
• 8030d3472eac3c703ae918600a78a6a89800b157d76f333734ed1af5101d04ed
• 17e60fc72b5398060138f72b3ecb3b09c37243e3b2905df94b7f5b44d6157806

SHA-1

• 6f7bfa3561b1dd249114f3aaa5eaea22777d614d
• bec4aacb875db1dd6de77f26d75c8f3b0bf0ef2e
• 2f2c973a93ed102e130dfb05fcd1495ffa430c2b
• a5f75ed98db2ecf65fbbfe23213fb2fcc02f590e
• 1dd30e68fb92169d968355686feefda063a98bb4
• c8a377fd71c37ca2761c510a56941c6c3b62815c
• d50208721be02026353ee98746d422a06a992dc3

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicator of compromise (IOCs)  in your environment utilizing your respective security controls
• Do not download document ?les attached in emails from unknown sources and strictly refrain from enabling macros when the source isn’t reliable.
• Maintain daily backups of all computer networks and servers.
• Passwords – Ensure that general security policies are employed including: implementing strong passwords, correct configurations, and proper administration security policies.
• Admin Access – limit access to administrative accounts and portals to only relevant personnel and make sure they are not publicly accessible.
• WAF – Web defacement must be stopped at the web application level. Therefore, set up a Web Application Firewall with rules to block suspicious and malicious requests.
• Patch – Patch and upgrade any platforms and software timely and make it into a standard security policy. Prioritize patching known exploited vulnerabilities and zero-days.
• Secure Coding – Along with network and system hardening, code hardening should be implemented within the organization so that their websites and software are secure. Use testing tools to detect any vulnerabilities in the deployed codes.
• 2FA – Enable two-factor authentication.
• Antivirus – Enable antivirus and anti-malware software and update signature definitions in a timely manner. Using a multi-layered protection is necessary to secure vulnerable assets
• Security Best Practices – Do not open emails and attachments from unknown or suspicious sources.