Security researchers have come across a new type of malicious campaign played by the hacking group Witchetty where it disguises the simple-looking Windows logo into backdoor access to malware that has been attacking Middle Eastern governments and more, using steganography as a method to hide it. More about the story here.
Steganographic Malware found attacking Middle East governments
According to The Bleeping Computer, a threat actor named Witchetty (and also LookingFrog that belongs to the TA410 umbrella) has been using steganography to inject malware across systems.
As reported by Broadcom’s Symantec Threat Hunter Team, the group is a part of the TA410 umbrella which in turn has connections with APT10, a Chinese threat group, also known as TA429. Stone Panda or Cicada.
According to the reports, Witchetty carried out the attracts from February to September this year. It injected the said malware across government systems of two Middle Eastern countries as well stock exchange of an African nation.
Dubbed Stegmap, the method used by Witchetty is rather simple. It uses steganography as a method to embed malware code in a non-secret and widely available document such as the Microsoft Windows logo in this case.
Apparently, the threat actors planted the malware-pegged bitmap Windows logo file on the GitHub repository which is why systems were unable to flag it citing the trusted source. It plays out totally differently for files that have malicious codes that require access to command and control servers that raise red flags and can be easily mitigated.
Acting as a backdoor, Stegmap would allow attackers to do numerous activities including download and run executables, file manipulation operations, terminate processes, exfiltrate files, and even make Windows Registry modifications onboard.
Further, researchers found out they saw the hacker group retain remote access to the Stegmap for both six months carrying out a tonne of exploitation efforts before it was finally spotted on September 1st, 2022.