Symantec’s Threat Hunter Team, which is part of Broadcom, warned last week that the hacker group Witchetty, also known as LookingFrog, used rare imagery in recent attacks on the Middle East and Africa. Steganography technology implants a backdoor Trojan into the Windows logo.
Witchetty is a spy-type hacker organization. It was discovered by another information security company, ESET, in April this year. It is judged that it is one of the members of the spy hacker TA410, and TA410 is related to the Chinese hacker group APT10. The main feature of Witchetty is to use the X4 backdoor program in the first stage, and load the second backdoor LookBack in the second stage, and specifically infiltrate government organizations, diplomatic missions, charities and industrial organizations.
According to the investigation of the Threat Hunter team, from February to September this year, Witchetty targeted the governments of two Middle East countries and the stock exchange center of an African country for attacks. Hackers exploited the ProxyShell and ProxyLogon vulnerabilities on Microsoft Exchange Server. In order to install the Web Shell on the external network server.
In this wave of attacks, in addition to the existing tools, Witchetty also adopted a new tool, Backdoor.Stegmap, which can use image cryptography technology to extract payloads from bitmap (BMP) images. Hiding in a seemingly innocuous bitmap can fool victims, one of which has been exploited by hackers using an older version of Microsoft’s Windows logo (below).
Embedding malicious payloads in very secure-looking image files would allow hackers to place them on various reliable and free services like GitHub, rather than on a hacker-controlled C&C server On the device, the former is more difficult to detect.
In addition, the malicious payload embedded in the BMP file by the hacker is a fully functional backdoor program, which can create/remove directories, copy/move/delete files, and enable/disable programs. The end host downloads and executes files, reads/creates/deletes login codes, or steals files, etc.
The Threat Hunter team has released the network intrusion indicators of related attacks for external reference.