Researchers discovered the Witchetty cyber espionage threat actor group, which employs steganography to conceal backdoor malware in the Windows logo in its latest campaign. The gang attacked governments in the Middle East through the backdoor.
Steganography is the technique of concealing data within non-secret, public information or computer files, such as an image, in order to avoid discovery.
Witchetty is believed to have close links to the Chinese threat actor APT10. The gang is also thought to be part of the TA410 operatives (aka APT10, Stone Panda), the group previously connected to attacks on US energy companies.
The group’s current cyberespionage campaign, which targeted two governments in the Middle East and an African stock market, began in February 2022 and is still underway.
The hackers updated their toolset for this campaign to target various vulnerabilities, and they employed steganography to shield their malicious payload from antivirus software.
Two pieces of malware, a first-stage backdoor called X4 and a second-stage modular malware called LookBack, were used in the latest Witchetty activities.
Prior to carrying out malicious actions like stealing credentials, moving lateral across networks, and dropping additional malicious payload, the threat actors first gain initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains.
The gang launched their campaign by utilizing a previously unidentified implant known as Backdoor.Stegmap, a steganography-based malware that hides the malicious payload in a bitmap picture of an outdated Microsoft Windows logo placed on a GitHub repository. The attackers were able to avoid detection by hiding the malicious code behind a picture uploaded on a trustworthy service.
“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.”
source: The payload is hidden under the Windows logo.
“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. “
According to them,
“Downloads from reputable domains like GitHub are significantly less likely to trigger red flags than downloads from an attacker-controlled command-and-control (C&C) server.”
The following commands are supported by the implant:
In the campaign identified, the hackers depend on last year’s vulnerabilities to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.