The Witchetty hacking group, which is believed to be linked with the Cicada APT (APT10), was found obfuscating a backdoor malware behind the Windows logo through a steganography technique. Witchetty’s new campaign, launched last February, involved cyberespionage attacks against government organisations in the Middle East and a stock exchange firm in Africa.
The toolkit used by the hacking group has been upgraded to allow it to target several existing security flaws. With steganography, Witchetty could hide its backdoor malware from being detected by a host’s antivirus tools.
Some hackers benefit from using steganography in their attacks since it helps them hide data or malicious payloads within public information or computer files to evade security detection. For instance, a working image file can hide a malicious code that would be injected against a targeted device without the user’s knowledge.
The new Witchetty group campaign involves using steganography in an old bitmap image of the Windows logo to hide an XOR-encrypted malware.
In this campaign, Witchetty’s malware-injected file is hosted on a well-known cloud service to minimise the chances of security detection. The researchers noted that this technique helps the threat actors to evade red flags compared to an attacker-controlled C2 server.
Witchetty group exploits several Microsoft and ProxyLogon vulnerabilities to gain initial access to a targeted network. These critical flaws include CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065.
Once the flaw abuse is successful, the hackers will begin to drop webshells on the exposed servers. They will then collect the malware hiding from the Windows image file to begin a series of attack procedures, including performing file and directory actions, killing processes, modifying the Windows registry, downloading additional payloads, and stealing data.
Furthermore, the threat group launches a custom proxy utility that would allow them to control the compromised machine to be their acting C2 server. They have also included more tools for the attack, such as a port scanner, a persistence utility, and more.
As the researchers have observed, the Witchetty group leveraging known vulnerabilities implies that those who have not patched their systems are prone to attacks. Thus, to prevent being a target, users must immediately update their systems to the latest patch releases and ensure that a strong antivirus tool is active.
