A cyberespionage group, tracked as Witchetty, used steganography to cover a beforehand undocumented backdoor in a Home windows brand.
Broadcom’s Symantec Risk Hunter group noticed a menace actor, tracked as Witchetty, utilizing steganography to cover a beforehand undocumented backdoor in a Home windows brand. The group used the again door in assaults towards governments within the Center East.
The Witchetty (often known as LookingFrog) cyber espionage group was first detected by cybersecurity agency ESET in April 2022, specialists argue that it’s a subgroup of the China-linked TA410 group (often known as APT10, Cicada, Stone Panda and TA429)).
The APT group has been regularly bettering its toolkit by using new malware in assaults concentrating on governments, diplomatic missions, charities, and industrial/manufacturing organizations within the Center East and Africa.
Witchetty’s operations had been characterised by means of two items of malware, a first-stage backdoor known as X4 and a second-stage modular malware often known as LookBack.
Between February and September 2022, the group focused the governments of two Center Japanese international locations and the inventory market of an African nation.
Risk actors exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-26855) vulnerabilities to deploy web shells on public servers before performing malicious actions, such as stealing credentials, moving laterally across networks, and dropping additional malicious payload.
In recent attacks, the group began using a previously undetected traced implant such as Backdoor.Stegmap, which relies on steganography to hide the malicious payload in a bitmap image of an old Microsoft Windows logo hosted in a repository of GitHub. Hiding the malicious code within an image hosted on a trusted service allowed attackers to evade detection.
“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden inside the file and is decrypted with an XOR key.” Read the analysis published by Broadcom’s Symantec Threat Hunter researchers. “Hiding the payload in this way allowed the attackers to host it on a free and trusted service.”
The implant supports the following commands:
| Code | Domain |
|---|---|
| 6 | create a directory |
| 7 | remove a directory |
| 8 | copy files |
| 9 | move files |
| 10 | delete files |
| eleven | Start a new process |
| 12 | Download and run an executable from [REMOTE HOSTNAME]/master/cdn/site.htm |
| 13 | Unknown (possibly reading standard output from a process created by command 12) |
| 14 | Terminate the process created by command 12 |
| fifteen | Steal a local file |
| 19 | list processes |
| twenty | kill a process |
| twenty-one | Read a registry key |
| 22 | Create a registry key |
| 23 | Set a registry key value |
| 24 | Delete a registry key |
“Witchetty has demonstrated the ability to continually refine and update its toolset for engaging targets of interest.” the researchers concluded. “Exploiting vulnerabilities on public servers provides you with a path to organizations, while custom tools combined with expert use of living off the land tactics allow you to maintain a long-term, persistent presence in target organizations.”
Follow me on twitter: @security issues Y Fb
Pierluigi Paganini
(SecurityIssues – piracy, witchetty)
share on
– Witchetty APT used steganography in attacks against Middle EastSecurity Affairs
