In an attack on governments in the Middle East, internet snoopers were caught hiding spyware in an old Windows logo.
The Witchetty gang used steganography to hide backdoor Windows malware – called Backdoor.Stegmap – in the bitmap image.
“Although rarely used by attackers, steganography, when executed successfully, can be used to camouflage malicious code in seemingly harmless-looking image files,” researchers from Symantec’s Threat Hunter team wrote this week. “By obfuscating the payload, the attackers were able to host it on a free, trusted service.”
Looks harmless, although sysadmins may disagree… The image used for the payload. Source: Symantec
As far as we know, Witchetty first compromises a network, gets inside one or more systems, then downloads that image from, for example, a repository on GitHub, unpacks and runs the spyware inside.
Hiding the payload in this way and placing the file somewhere harmless on the internet is a major advantage in bypassing security software, since “downloads from trusted hosts like GitHub raise far fewer red flags than downloads from an attacker-driven command.” and-control (C&C) servers,” the team said.
Therefore, retrieving this image after initial access is less likely to trigger internal alarms.
In April, analysts at European cybersecurity shop ESET documented Witchetty – then called LookingFrog – as one of three sub-groups within TA410, a spy group with loose ties to the APT10 gang (aka Cicada) known for running businesses in the US utility sector to target and diplomatic organizations in the Middle East and Africa.
APT10, also known as Red Apollo and Stone Panda, ran a campaign against financial services companies in Taiwan earlier this year. LookingFrog, FlowingFrog and JollyFrog are the three subgroups of TA410, with LookingFrog focusing on the Middle East and a small part of Africa, according to ESET.
The use of Stegmap is part of a larger update to Witchetty’s toolset, the Symantec researchers wrote. The group is known to be using a first-stage backdoor called X4 and a second-stage payload called LookBack, which ESET says is targeting governments, diplomatic missions, charities, and industrial and manufacturing organizations.
Malware upgrades make for a more cunning opponent
Witchetty continues to use LookBack, but has added Stegmap and other malware to its arsenal. To get Stegmap on a network, it runs a DLL loader that downloads the Windows logo bitmap file from a GitHub repository. The payload is hidden in the bitmap file and is decrypted with an XOR operation and a key.
The payload opens a backdoor to the outside world and can execute a variety of commands given to it by its masters, from copying, moving or deleting files, to removing a directory, starting a new process or ending an existing one, to Creating or deleting a Windows registry key.
Symantec researchers wrote that Witchetty used Stegmap to launch a spy campaign against two Middle Eastern governments and a stock exchange in Africa. Initial access to a target’s network is accomplished by exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange and installs malicious scripts on publicly exposed web servers. From that point forward, the attackers were able to steal user credentials, move sideways through the corporate network, and install Stegmap and other malicious software on computers.
Witchetty also uses Mimikatz, a port scanner, and other tools. This includes one that adds itself to autostart in the registry and is listed as “Nvidia Display Core Component” to ensure the malicious code runs again on reboot.
“Witchetty has demonstrated the ability to continuously refine and update its toolset to compromise interesting targets,” the researchers wrote.
“Exploiting vulnerabilities on publicly-facing servers gives it a path into organizations, while custom tools coupled with adept use of country life tactics allow it to maintain a long-term, persistent presence in target organizations.” ®
https://www.theregister.com/2022/10/02/witchetty_windows_logo_spyware/ Spyware hidden in Microsoft logo found using shorthand • The Register