Home » Hackers hide malware in Microsoft’s Windows logo | iThome

Hackers hide malware in Microsoft’s Windows logo | iThome

by admin
Hackers hide malware in Microsoft’s Windows logo | iThome

Symantec’s Threat Hunter Team, which is part of Broadcom, warned last week that the hacker group Witchetty, also known as LookingFrog, used rare imagery in recent attacks on the Middle East and Africa. Steganography technology implants a backdoor Trojan into the Windows logo.

Witchetty is a spy-type hacker organization. It was discovered by another information security company, ESET, in April this year. It is judged that it is one of the members of the spy hacker TA410, and TA410 is related to the Chinese hacker group APT10. The main feature of Witchetty is to use the X4 backdoor program in the first stage, and load the second backdoor LookBack in the second stage, and specifically infiltrate government organizations, diplomatic missions, charities and industrial organizations.

According to the investigation of the Threat Hunter team, from February to September this year, Witchetty targeted the governments of two Middle East countries and the stock exchange center of an African country for attacks. Hackers exploited the ProxyShell and ProxyLogon vulnerabilities on Microsoft Exchange Server. In order to install the Web Shell on the external network server.

In this wave of attacks, in addition to the existing tools, Witchetty also adopted a new tool, Backdoor.Stegmap, which can use image cryptography technology to extract payloads from bitmap (BMP) images. Hiding in a seemingly innocuous bitmap can fool victims, one of which has been exploited by hackers using an older version of Microsoft’s Windows logo (below).

Image credit/Broadcom

Embedding malicious payloads in very secure-looking image files would allow hackers to place them on various reliable and free services like GitHub, rather than on a hacker-controlled C&C server On the device, the former is more difficult to detect.

See also  the social network is now open to everyone

In addition, the malicious payload embedded in the BMP file by the hacker is a fully functional backdoor program, which can create/remove directories, copy/move/delete files, and enable/disable programs. The end host downloads and executes files, reads/creates/deletes login codes, or steals files, etc.

The Threat Hunter team has released the network intrusion indicators of related attacks for external reference.

You may also like

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

Privacy & Cookies Policy