An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.
Broadcom’s Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410 umbrella.
Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack.
Symantec’s latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of a new backdoor called Stegmap.
The new malware leverages steganography – a technique used to embed a message (in this case, malware) in a non-secret document – to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.
“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” the researchers said. “Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.”
Stegmap, like any other backdoor, has an extensive array of features that allows it to carry out file manipulation operations, download and run executables, terminate processes, and make Windows Registry modifications.
Attacks that lead to the deployment of Stegmap weaponize ProxyLogon and ProxyShell vulnerabilities in Exchange Server to drop the China Chopper web shell, that’s then used to carry out credential theft and lateral movement activities, before launching the LookBack malware.
A timeline of an intrusion on a government agency in the Middle East reveals Witchetty maintaining remote access for as long as six months and mounting a wide range of post-exploitation efforts, including network enumeration and installing custom malware, until September 1, 2022.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest,” the researchers said.
“Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.”