A hacking group known as Witchetty (aka LookingFrog) is using steganography to hide backdoor malware within a Windows logo. The campaign is ongoing and has so far seen targeted attacks conducted on governments in the Middle East and a stock exchange in Africa, according to a recent report from Symantec. The threat actor has strong links with the Chinese state-sponsored threat group APT10 and the TA10 operatives behind attacks on energy companies in the United States.
Witchetty is known to have been operational since at least February 2022, with previous attacks involving a first-stage backdoor and a second-stage payload called LookBack, although the group is now using several new malware variants in its attacks. In the latest campaign, the group uses a backdoor dubbed Stegmap, which is hidden inside an old Microsoft Logo using steganography techniques.
Steganography has been used in previous attacks to hide malicious code from security solutions. These techniques allow a functional image to be displayed that incorporates malicious code, which can be extracted from the image and executed on the victim’s system. In the latest campaign, an old Microsoft bitmap image is used that incorporates an XOR-encrypted backdoor malware. To evade detection, the file is hosted on a trusted cloud-storage service (a GitHub repository) rather than on the attacker’s command-and-control server, to reduce the risk of detection when the image is downloaded.
According to Symantec, Backdoor.Stegmap is a fully functional backdoor malware that can be used to create/remove directories, copy/move/delete files, start/terminate/enumerate processes, download and execute files, steal local files, and read/create/delete registry keys, and set new values for registry keys.
Symantec says the threat actors gain initial access to the network by exploiting Microsoft Exchange ProxyShell and ProxyLogon vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065) to install web shells on public-facing servers, then fetch the malicious file. The attackers also use living off-the-land techniques and custom tools to gain persistent access to the networks of the targeted organizations and move laterally within networks. The attacks have been conducted between February and September 2022.
Symantec says Witchetty has demonstrated that it is a highly capable threat actor that continues to refine and refresh its toolset to compromise targets of interest for espionage purposes. Indicators of compromise have been shared in a recent blog post, with the latest mitigation and protection updates shared through the Symantec Protection Bulletin.