Hacking Group Hides Backdoor Malware Inside Windows Logo Image.

by | Mar 7, 2024

Security experts have uncovered a dangerous operation by the hacker collective “Witchetty” that employs steganography to cloak backdoor software in the Windows logo.

Witchetty is thought to be closely associated with the state-sponsored Chinese threat actor APT10 (also known as “Cicada”). The squad is also regarded as TA410 personnel, who have previously been connected to strikes against American energy suppliers.

According to Symantec, the threat organisation is still conducting its February 2022-launched cyberespionage effort, which was directed at two Middle Eastern countries and an African stock market.

Who Is Witchetty?

ESET discovered Witchetty for the first time in April 2022 and determined that it was one of three sub-groups of TA410, a large cyberspying operation with some connections to the Cicada group (aka APT10). Two pieces of malware, a first-stage backdoor called X4 and a second-stage payload called LookBack, were used in Witchetty’s operations. Governments, diplomatic missions, NGOs, and business/manufacturing companies were among the targets, according to ESET.

The Windows Logo Being Used Against You:

The hackers updated their toolset for this effort to target other vulnerabilities, and they employed steganography to shield their harmful payload from antivirus software.

Steganography is the practise of concealing data to avoid discovery inside other non-secret, publicly available information or computer files, such as a picture. For instance, a hacker may produce an image file that functions properly and shows on a computer but also contains harmful code that can be retrieved from it.

Witchetty is utilising steganography in the attack found by Symantec to mask an XOR-encrypted backdoor infection in an outdated Windows logo bitmap picture.

Because the file is housed on a reputable cloud provider rather than the threat actor’s command and control (C2) server, there is less risk that obtaining it will trigger security alerts.

In its research, Symantec notes that “disguising the payload in this way allowed the attackers to host it on a free, trustworthy service.”

Downloads from reputable servers like GitHub are much less likely to cause concern than downloads from command-and-control (C&C) servers that are under the control of an attacker.

By taking use of the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop webshells on susceptible servers, the threat actors acquire initial access to a network and launch the assault.

The threat actors then retrieve the backdoor concealed in the picture file, which gives them the following capabilities:

  • Perform directory and file operations.
  • Start, monitor, or terminate processes.
  • Windows Registry changes.
  • Download more payloads.
  • File exfiltration.

Witchetty also released a custom proxy tool that, by serving “as the server and acting as the server,” allows the infected PC to connect to a C&C server pretending to be a client rather than the other way around.Other tools include a customised port scanner and a customised persistence tool that registers as a “NVIDIA display core component” in the registry.

In addition to using bespoke tools, Witchetty exploits “lolbins” on the host, such as CMD, WMIC, and PowerShell, and conventional tools like Mimikatzand to dump credentials from LSASS.

Governments and state institutions across the world, including those in Asia and Africa, continue to face active threats from TA410 and Witchetty. The greatest defence against such assaults is to implement security upgrades as soon as they are available.

In the campaign that Symantec has identified, the hackers depend on last year’s flaws to infiltrate the target network and take advantage of the subpar management of publicly accessible servers.