alreadyIncorporated into BroadcomThe Symantec Threat Hunter teamnotice last weekThe hacker group Witchetty (also known as LookingFrog) recently launched an attack on the Middle East and Africa, using rare stealth imaging technology (steganography) to implant a backdoor Trojan in the Windows brand.
Witchetty is a spy-type hacker organization. It was discovered in April of this year by another information security company, ESET, and believed to be one of the members of the spy hacker TA410, itself associated with the Chinese hacker group APT10. The main feature of Witchetty is to use the X4 backdoor program in the first phase and load the second LookBack backdoor in the second phase, and specifically infiltrate government organizations, diplomatic missions, charities and industrial organizations.
According to the Threat Hunter team’s investigation, from February to September of this year, Witchetty targeted governments of two Middle Eastern countries and an African country’s stock exchange center for attacks, exploiting ProxyShell vulnerabilities and ProxyLogon on Microsoft Exchange Server. To install the Web Shell on the external network server.
In this wave of attacks, in addition to existing tools, Witchetty has also adopted a new tool, Backdoor.Stegmap, which can use image encryption technology to extract payloads from bitmap (BMP) images. Hiding in a seemingly harmless bitmap can fool victims, one of whom was exploited by hackers using an old version of Microsoft’s Windows logo (below).
Image credit / Broadcom
Embedding malicious payloads into very secure-looking image files would allow hackers to place them on various reliable and free services like GitHub, rather than a hacker-controlled C&C server. On the device, the former is more difficult to detect.
Furthermore, the malicious payload embedded in the BMP file by the hacker is a fully functional backdoor program, which can create / remove directories, copy / move / delete files and enable / disable programs.The final host downloads and executes files, reads / creates / delete access codes or steal files, etc.
The Threat Hunter team released network intrusion indicators of related attacks for external reference.
–