Symantec researchers have discovered a malicious campaign by the hacker group Witchetty, which uses steganography to hide malware in an image with the Windows logo.
Let me remind you that we also wrote that Hackers hide MageCart skimmers in social media buttons.
Experts remind that the Witchetty hack group is associated with the Chinese group APT10 (aka Cicada). One of the latest cyber-espionage campaigns by cybercriminals began in February 2022 and targets governments in the Middle East, as well as the stock exchange in Africa. This campaign is still ongoing.
Experts noticed that this time the hackers have expanded their malicious toolkit and began to use steganography in attacks: they hide the XOR-encrypted backdoor in the old bitmap of the Windows logo.
Image in which hackers hid malware
Thanks to this disguise, the file with the backdoor is placed in an unnamed cloud service, and not on the group’s control server, since security solutions do not detect a malicious payload in it.
Witchetty attacks begin with attackers gaining access to the victim’s network using the ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities), which is used to inject web shells on vulnerable servers.
The attackers then download and extract the backdoor hidden in the image file, which allows:
- perform actions on files and directories;
- start, enumerate or kill processes;
- modify the Windows registry;
- download additional payloads;
- steal files.
Witchetty also uses a special proxy utility that forces the infected computer to act “as a server and connects to the C&C server acting as a client, and not vice versa.”
Other culprit tools include a custom port scanner and a custom system pinning utility that adds itself to the registry under the guise of an NVIDIA display core component.
