An attack on a government in the Middle East has exposed an internet intrusion that hides spyware in the old Windows logo.
The Witchetty gang used steganography to hide Windows malware (called Backdoor.Stegmap) in bitmaps.
“Although it is rarely used by attackers, steganography, when done well, can disguise malicious code as an apparently harmless image file,” researchers from the Threat Hunters team at Symantec said this week. “By masking the payload in this way, the attackers were able to host the payload on a free and trusted service.”
Your system administrator may vary, but it looks harmless… Images used for payloads.Source: Symantec
As far as we know, Wichetti first compromises the network and infiltrates one or more systems. Then download this image, for example from a repository on GitHub, unzip and run the spyware in it.
Hiding the payload in this way and placing the file in a good online location is a great advantage in evading security software. The team said.
So getting this image after first access is unlikely to trigger an internal alarm.
In April, analysts at European cybersecurity store ESET documented Witchetty (then called LookingFrog) as one of three subgroups within TA410. Diplomatic Agencies in the Middle East and Africa.
APT10, also known as Red Apollo and Stone Panda, launched a campaign earlier this year against a financial services company in Taiwan. LookingFrog, FlowingFrog, and JollyFrog represent three subgroups of the TA410, according to ESET, with LookingFrog focusing its efforts on a small portion of the Middle East and Africa.
Symantec researchers write that the use of Stegmap is part of a larger update to the Witchetty toolkit. The group is known to use a first-stage backdoor known as X4 and a second-stage payload called LookBack, according to ESET, governments, diplomatic missions, charities, industry and manufacturing targeting the organization.
Malware upgrades have become a more complex opponent
Witchetty continues to use LookBack, but has added Stegmap and other malware to its arsenal. To render Stegmap to the network, a DLL loader is launched to download a Windows logo bitmap file from the GitHub repository. The payload is hidden in a bitmap and decrypted using an XOR operation and a key.
The payload opens a backdoor to the outside world, and many actions from the master, from copying, moving or deleting files, to deleting directories, starting new processes, killing existing processes, creating or deleting commands that can be run. Delete the Windows registry key.
Symantec researchers wrote that Wichitty used Stegmap to launch espionage operations against two governments in the Middle East and an African stock exchange. Exploit Microsoft ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyLogon (CVE-2021-26855, and CVE-2021-27065) vulnerabilities to gain access to a target network. It replaces malicious scripts and installs them on public web servers. Since then, attackers have been able to steal login credentials from users, move sideways through corporate networks, and install Stegmap and other malicious software on computers.
Witchetty also uses Mimikatz, a port scanner, and other tools. This includes adding itself to the auto registry listed as “Nvidia Display Core Component” to allow malicious code to run again on restart.
“Witchetty has demonstrated the ability to constantly refine and update his toolkit to break target targets,” the researchers wrote.
“Exploiting vulnerabilities in public servers provides an entry point into the enterprise, while an intelligent set of dedicated tools and off-the-ground tactics can create long-term and persistent threats to targeted organizations. We can maintain our existence.” ®