Spyware hidden in Microsoft logo using shorthand • The Register
Internet snoopers caught hiding spyware in an old Windows logo in an attack on Middle Eastern governments.
The Witchetty gang used steganography to conceal the backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image.
“Although rarely used by attackers, if executed successfully, steganography can be used to conceal malicious code in seemingly innocuous image files,” said researchers from Symantec’s Threat Hunter team. written this week. “Disguising the payload in this way allowed the attackers to host it on a free and trusted service.”
From what we can tell, Witchetty first compromises a network, breaks into one or more systems, then downloads that image from, say, a repository on GitHub, unpacks the spyware it contains, and downloads it. ‘executed.
Hiding the payload this way and placing the file somewhere innocuous online is a big advantage for evading security software, because “downloads from trusted hosts such as GitHub are much less likely to trigger flags red than downloads from an attacker-controlled command-and-control (C&C),” the team said.
Thus, retrieving this image after gaining initial access is less likely to trigger internal alarms.
In April, analysts at European cybersecurity store ESET documented Witchetty – which they called LookingFrog at the time – as one of three sub-groups of TA410, a spy group with loose ties to the APT10 (aka Cicada) gang known to target companies in the US data sector. public services and diplomatic organizations in the Middle East and Africa.
APT10, also known as Red Apollo and Stone Panda, earlier this year waged a campaign against financial services firms in Taiwan. LookingFrog, FlowingFrog and JollyFrog are the three subgroups of TA410, with LookingFrog focusing its efforts on the Middle East and a small part of Africa, according to ESET.
The use of Stegmap is part of a larger update to Witchetty’s toolset, the Symantec researchers wrote. The group is known to use a first-stage backdoor known as X4 and a second-stage payload called LookBack, which ESET says targets governments, diplomatic missions, charities, and industrial and manufacturing organizations. .
Malware Upgrades Make A More Cunning Enemy
Witchetty continues to use LookBack, but has added Stegmap and other malware to its arsenal. To integrate Stegmap into a network, a DLL loader is run which downloads the Windows logo bitmap file from a GitHub repository. The payload hides in the bitmap file and is decrypted with an XOR operation and key.
The payload opens a back door to the outside world and can execute a range of commands issued to it by its masters, from copying, moving or deleting files to deleting a directory, starting a a new process or the deletion of an existing one, and the creation or deletion of a Windows registry key.
Symantec researchers wrote that Witchetty launched a spy campaign against two governments in the Middle East and a stock exchange in Africa using Stegmap. Initial access to a target’s network is gained by exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities ) in Microsoft Exchange and install malicious scripts on public web servers. From then on, attackers were able to steal user login credentials, move laterally across the corporate network, and install Stegmap and other malware on computers.
Witchetty also uses Mimikatz, a port scanner, and other tools. This includes one that adds to autostart in the registry, listed as “core Nvidia display component”, to ensure that malicious code is executed again on a reboot.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset to compromise targets of interest,” the researchers wrote.
“Exploitation of vulnerabilities on public servers provides him with a pathway to organizations, while custom tools coupled with skillful use of life off-earth tactics allow him to maintain a long-term persistent presence in targeted organizations. .” ®