Malware Hidden in Windows' Logo, Threat Actors Attack Middle East Govt
October 03, 2022 By Raulf Hernes
(Image Credit Google)
In its strikes against Middle Eastern countries, a threat actor with an emphasis on espionage has concealed malware under the Windows logo.
The improved tooling was credited to Witchetty, also known as LookingFrog, a subgroup operating under the TA410 banner, according to Broadcom's Symantec Threat Hunter Team.
The modular implant LookBack is typically used in TA410 intrusions, which are thought to have ties to the Chinese threat group APT10 (also known as Cicada, Stone Panda, or TA429).
The usage of a brand-new backdoor called Stegmap is highlighted in Symantec's most recent investigation of attacks between February and September 2022, when the gang attacked the governments of two Middle Eastern nations and the stock exchange of an African country.
The new malware uses steganography, a method for hiding a message (in this case, malware) in an openly available document, to extract dangerous code from a bitmap image of a previous version of the Microsoft Windows logo.
"Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service," the researchers said. "Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server."
Like many backdoors, Stegmap includes a wide range of features that enable it to do file manipulation operations, download and run executables, stop processes, and alter the Windows Registry.
According to a timetable of an attack on a Middle Eastern government institution, Witchetty maintained remote access for up to six months and carried out a variety of post-exploitation activities up until September 1, 2022.
"Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest," the researchers said.
"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations."