An
espionage-focused
threat
actor
has
been
observed
using
a
steganographic
trick
to
conceal
a
previously
undocumented
backdoor
in
a
Windows
logo
in
its
attacks
against
Middle
Eastern
governments.

Broadcom’s
Symantec
Threat
Hunter
Team
attributed
the
updated
tooling
to
a
hacking
group
it
tracks
under
the
name

Witchetty,
which
is
also
known
as

LookingFrog,
a
subgroup
operating
under
the
TA410
umbrella.

Intrusions
involving
TA410
–
which
is
believed
to
share
connections
with
a
Chinese
threat
group
known
as
APT10
(aka
Cicada,
Stone
Panda,
or
TA429)
–
primarily
feature
a
modular
implant
called
LookBack.

Symantec’s
latest
analysis
of
attacks
between
February
and
September
2022,
during
which
the
group
targeted
the
governments
of
two
Middle
Eastern
countries
and
the
stock
exchange
of
an
African
nation,
highlights
the
use
of
a
new
backdoor
called
Stegmap.

The
new
malware
leverages

steganography
–
a
technique
used
to
embed
a
message
(in
this
case,
malware)
in
a
non-secret
document
–
to
extract
malicious
code
from
a
bitmap
image
of
an
old
Microsoft
Windows
logo
hosted
on
a
GitHub
repository.

“Disguising
the
payload
in
this
fashion
allowed
the
attackers
to
host
it
on
a
free,
trusted
service,”
the
researchers

said. “Downloads
from
trusted
hosts
such
as
GitHub
are
far
less
likely
to
raise
red
flags
than
downloads
from
an
attacker-controlled
command-and-control
(C&C)
server.”

Stegmap,
like
any
other
backdoor,
has
an
extensive
array
of
features
that
allows
it
to
carry
out
file
manipulation
operations,
download
and
run
executables,
terminate
processes,
and
make
Windows
Registry
modifications.

Attacks
that
lead
to
the
deployment
of
Stegmap
weaponize

ProxyLogon
and
ProxyShell
vulnerabilities
in
Exchange
Server
to
drop
the
China
Chopper
web
shell,
that’s
then
used
to
carry
out
credential
theft
and
lateral
movement
activities,
before
launching
the
LookBack
malware.

A
timeline
of
an
intrusion
on
a
government
agency
in
the
Middle
East
reveals
Witchetty
maintaining
remote
access
for
as
many
as
six
months
and
mounting
a
wide
range
of
post-exploitation
efforts
till
September
1,
2022.

“Witchetty
has
demonstrated
the
ability
to
continually
refine
and
refresh
its
toolset
in
order
to
compromise
targets
of
interest,”
the
researchers
said.

“Exploitation
of
vulnerabilities
on
public-facing
servers
provides
it
with
a
route
into
organizations,
while
custom
tools
paired
with
adept
use
of
living-off-the-land
tactics
allow
it
to
maintain
a
long-term,
persistent
presence
in
targeted
organizations.”