Hacking group hides backdoor malware in Windows logo image -

Security researchers have discovered a malicious campaign by the hacking group ‘Witchetty’, which uses steganography to hide backdoor malware in a Windows logo.

Witchetty is believed to have close ties to the state-backed Chinese threat actor APT10 (aka “Cicada”). The group is also considered part of the TA410 agents, which were previously linked to attacks on US energy suppliers.

Symatec identified as targets the governments of two countries in the Middle East, as well as the stock exchange in a country in Africa.

Referrer :Symantec

For initial compromise, the hacking group is believed to have targeted the ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange Server to install web shells. Next, they proceeded with credential theft, lateral movement, and malware deployment.

Using the Windows logo against you

In this campaign, the hackers revamped their toolkit to address various vulnerabilities and used steganography to hide their malicious payload from antivirus software.

Steganography is the concealment of data in other non-secret, public information or computer files, such as an image, to evade detection. For example, a hacker can create a working image file that displays correctly on the computer, but also contains malicious code that can be extracted from it.

In the campaign discovered by Symantec, Witchetty uses steganography to hide XOR-encoded backdoor malware in an old bitmap image with Windows logo.

The file is hosted on a trusted cloud service rather than on the threat actor’s command and control (C2) server, minimizing the chance of security alarms during retrieval.

“By disguising the payload in this way, the attackers were able to host it on a free, trusted service,” Symantec explains in its report.

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server,” Symantec notes.

According to Symantec, the attackers started their malicious activity on the network of one of the compromised Middle Eastern governments in late February 2022, and continued to actively connect to the environment until September 1.

In addition to the custom tools, Witchetty uses standard utilities such as Mimikatzand to dump LSASS credentials and abuses host “lolbins” such as CMD, WMIC, and PowerShell.

IOCS :

619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128 LookBack backdoor

In addition to the custom tools, Witchetty uses standard utilities such as Mimikatzand to dump LSASS credentials and abuses host “lolbins” such as CMD, WMIC, and PowerShell.

IOCS :

619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128 LookBack backdoor

e597aae95dcaccc5677f78d38cd455fa06b74d271fef44bd514e7413772b5dcb LookBack backdoor

ce3293002a9681736a049301ca5ed6d696d0d46257576929efbb638545ecb78e LookBack backdoor

d3c62b920d3e5a6ea12ec59512fe26fb58eb5a19433b10dbe36201a3fc158998 LookBack backdoor

73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584 LookBack backdoor

acc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b LookBack backdoor

f91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d LookBack backdoor

e7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38 LookBack backdoor

104873d692af36173cb39f8b46f2080c8ce1a1a52d60c69e1034e2033ba95f7a Possible LookBack dropper

3b715112ac93e4cd5eaa7760b5670760fd25d0fec68f6a493624fa23c1c6e042 Backdoor.Stegmap