U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

APT

Witchetty APT used steganography in attacks against Middle East entities

A cyberespionage group, tracked as Witchetty, used steganography to hide a previously undocumented backdoor in a Windows logo. Broadcom’s Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments. The cyber […]

RAT

A cyberespionage group, tracked as Witchetty, used steganography to hide a previously undocumented backdoor in a Windows logo.

Broadcom’s Symantec Threat Hunter Team observed a threat actor, tracked as Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments.

The cyber espionage group Witchetty (aka LookingFrog) was first spotted by cybersecurity firm ESET in April 2022, the experts argue it is a sub-group of the China-linked TA410 group (aka APT10, Cicada, Stone Panda, and TA429)).

The APT group has been continuously improving its toolset by employing new malware in attacks aimed at governments, diplomatic missions, charities, and industrial/manufacturing organizations in the Middle East and Africa.

Witchetty’s operations were characterized by the use of two pieces of malware, a first-stage backdoor dubbed X4 and a second-stage modular malware known as LookBack.

Between February and September 2022, the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation.

The threat actors exploited the ProxyShell (CVE-2021-34473CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-26855) vulnerabilities to deploy web shells on public-facing servers before performing malicious actions, such as stealing credentials, moving laterally across networks, and drop addition malicious payload.

In recent attacks the group the group started using a previous undetected implant tracked as Backdoor.Stegmap, which relies on steganography to conceal the malicious payload in a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository. Hiding the malicious code within an image hosted on a trusted service allowed the attackers to evade detection.

“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.” reads the analysis published by Broadcom’s Symantec Threat Hunter researchers“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”

The implant supports the following commands:

CodeCommand
6Create a directory
7Remove a directory
8Copy files
9Move files
10Delete files
11Start a new process
12Download and run an executable from [REMOTE HOSTNAME]/master/cdn/site.htm
13Unknown (Possibly reading standard output from a process created by command 12)
14Terminate the process created by command 12
15Steal a local file
19Enumerate processes
20Kill a process
21Read a registry key
22Create a registry key
23Set a registry key value
24Delete a registry key

“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest.” the researchers concluded. “Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Witchetty)

[adrotate banner=”5″]

[adrotate banner=”13″]