Hacking group hides backdoor malware inside Windows logo image, APT10, Malware, Steganography, TA410, Windows, Witchetty

Security researchers have discovered a malicious campaign by the ‘Witchetty’ hacking group, which uses steganography to hide a backdoor malware in a Windows logo.

Witchetty is believed to have close ties to the state-backed Chinese threat actor APT10 (aka ‘Cicada’). The group is also considered part of the TA410 operatives, previously linked to attacks against U.S. energy providers.

Symantec reports that the threat group is operating a new cyberespionage campaign launched in February 2022 that targeted two governments in the Middle East and a stock exchange in Africa and is still ongoing.

Using the Windows logo against you

In this campaign, the hackers refreshed their toolkit to target different vulnerabilities and used steganography to hide their malicious payload from antivirus software.

Steganography is the act of hiding data within other non-secret, public information or computer files, such as an image, to evade detection. For example, a hacker can create a working image file that displays correctly on the computer but also includes malicious code that can be extracted from it.

In the campaign discovered by Symantec, Witchetty is using steganography to hide an XOR-encrypted backdoor malware in an old Windows logo bitmap image.

Hacking group hides backdoor malware inside Windows logo image, APT10, Malware, Steganography, TA410, Windows, Witchetty

Windows logo hiding the payload (Symantec)

The file is hosted on a trusted cloud service instead of the threat actor’s command and control (C2) server, so the chances of raising security alarms while fetching it are minimized.

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” Symantec explains in its report.

“Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.”

The attack begins with the threat actors gaining initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop webshells on vulnerable servers.

Next, the threat actors fetch the backdoor hiding in the image file, which enables them to do the following:

  • Perform file and directory actions
  • Start, enumerate, or kill processes
  • Modify the Windows Registry
  • Download additional payloads
  • Exfiltrate files

Witchetty also introduced a custom proxy utility that causes the infected computer to act “as the server and connects to a C&C server acting as a client, instead of the other way around.”

Other tools include a custom port scanner and a custom persistence utility that adds itself in the registry as “NVIDIA display core component.”

Along with the custom tools, Witchetty uses standard utilities like Mimikatzand to dump credentials from LSASS and abuses “lolbins” on the host, like CMD, WMIC, and PowerShell.

TA410 and Witchetty remain active threats to governments and state organizations in Asia, Africa, and around the globe. The best way to prevent its attacks is to apply security updates as they are released.

In the campaign discovered by Symantec, the hackers rely on exploiting last year’s vulnerabilities to breach the target network, taking advantage of the poor administration of publicly exposed servers.

TECH NEWS RELATED

Game Keeps Compiling Shaders Every Time I Open It (Fix)

There is a common problem where a game would install, load or compile shaders every time you start the game. This post aims at letting you know what shaders are used for, why shaders need to be compiled when you start the game, and how to stop the game from ...

View more: Game Keeps Compiling Shaders Every Time I Open It (Fix)

Private sector satellites to boost IoT, ham radio use, earth observation

ISRO From helping machines to talk to each other to monitoring the health of the earth, the private sector satellites launched onboard Indian Space Research Organisation’s PSLV C-54 mission on Saturday are set to write a new chapter as space sector reforms take root in the country. Besides the ...

View more: Private sector satellites to boost IoT, ham radio use, earth observation

Elon Musk says he will support Florida's DeSantis if he runs for president

Billionaire Elon Musk said on Friday he would support Ron DeSantis in 2024 if the Florida governor, who recently coasted to a second term, were to run for president. DeSantis earlier this month defeated Democratic opponent Charlie Crist by nearly 20 percentage points to be re-elected as Florida governor and ...

View more: Elon Musk says he will support Florida's DeSantis if he runs for president

Cambridge university publishes surviving Charles Darwin correspondence online

A member of staff walks under a portrait of Charles Darwin on show at an exhibition at Darwin’s former home Down House, in Kent, southern England, on February 12, 2009. REUTERS/Tal Cohen (BRITAIN) – LM1E52C17DP01 The University of Cambridge in England has published all of Charles Darwin’s surviving correspondence ...

View more: Cambridge university publishes surviving Charles Darwin correspondence online

Czech pubs tap tech in bid to save energy costs on beer

Reuters A bartender pours a glass of beer from a tap inside a pub in Prague, Czech Republic Czech pubs are turning to technology to reduce the cost of putting glasses of beer on the bar for thirsty locals.With Czechs among the biggest beer drinkers in the world, brewer Plzensky ...

View more: Czech pubs tap tech in bid to save energy costs on beer

Top 7 Ways to Fix Gestures Not Working on Android

Your Android phone supports a variety of gestures that allow you to switch between apps, take screenshots, and perform other advanced functions. Using them frequently can be quite inconvenient when those gestures stop working on your phone. Unfortunately, that is exactly the problem many Android 11 and Android 12 users ...

View more: Top 7 Ways to Fix Gestures Not Working on Android

AI is rewriting the rules of creativity. What does that mean for human imagination?

For the first time in human history, we can give machines a simple written or spoken prompt and they will produce original creative artefacts – poetry, prose, illustration, music – with infinite variation. With disarming ease, we can hitch our imagination to computers, and they can do all the ...

View more: AI is rewriting the rules of creativity. What does that mean for human imagination?

How independent voters saved Democrats

Democrats would not have had such a good election night without the support of independent voters. These mystical swing voters don’t affiliate themselves with a specific party, tend to be more ideologically moderate, and represent a plurality of voters in the United States. But they are also hard to ...

View more: How independent voters saved Democrats

iPhone is not as secure as Apple claims

Google's Project Zero Team warns of gap in Android Security updates

100+ Amazon Black Friday Deals Still Going Strong Ahead of Cyber Monday

Best Cyber Monday Headphones and Earbuds Deals: Save Big on AirPods, Sony, Bose, Jabra and More

70% gamers in India prefer PC gaming over mobile phone, finds HP India study

5G rollout to be faster in India, gears from neighbouring countries need more checks: Nokia India

YouTube: a big increase in the number of paid subscribers

Five key decisions at global wildlife summit

Costa Rica crocodiles survive in 'most polluted' river

US FCC bans sales, import of Chinese tech from Huawei, ZTE

NASA's Orion capsule enters far-flung orbit around moon

From Meta to Zomato, how India's new online review rules will impact industry

OTHER TECH NEWS

Top Car News Car News