Hackers Hide Malware in Windows Logo, Target Middle East Governments

Written by

A hacking group dubbed 'Witchetty' has been observed using a steganographic technique to hide a backdoor in a Windows logo and target Middle Eastern governments.

According to a new advisory by Broadcom, Witchetty (aka LookingFrog) is believed to have connections to the state–backed Chinese threat actor APT10 as well as with TA410 operatives, a group previously linked to attacks against US energy providers.

Witchetty was first discovered by ESET in April 2022, with its activity being characterized by the use of a first–stage backdoor known as X4 and a second–stage payload known as LookBack.

While the group has continued to use the LookBack backdoor, Broadcom observed that several new types of malware appear to have been added to its toolset.

"The Witchetty espionage group [...] has been progressively updating its toolset, using new malware in attacks on targets in the Middle East and Africa," the advisory reads.

"Among the new tools being used by the group is a backdoor Trojan (Backdoor.Stegmap) that employs steganography, a rarely seen technique where malicious code is hidden within an image."

Further, the attackers observed by Broadcom between February and September 2022 exploited ProxyShell and ProxyLogon vulnerabilities to install web shells on public–facing servers. It then stole credentials, moved laterally across networks and installed malware on other computers.

"Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest," Broadcom wrote.

"Exploitation of vulnerabilities on public–facing servers provides it with a route into organizations, while custom tools paired with adept use of living–off–the–land tactics allow it to maintain a long–term, persistent presence in targeted organizations."

Symantec has provided protection updates about the latest Witchetty attacks in its Protection Bulletin.

The publication of the advisory comes months after CloudSEK researchers discovered an extensive phishing campaign in which threat actors were impersonating the Ministry of Human Resources of the UAE government.

What’s hot on Infosecurity Magazine?