Malware-based campaigns are turning into increasingly complex threats capable of targeting multiple devices and operating systems. New techniques and “tricks” are added on a constant basis, while already known solutions tend to resurface every now and then. Steganography, while being neither a novel nor a popular technique to hide data inside images, is indeed being used in a new espionage campaign by a group known as Witchetty. The signature trait of Backdoor.Stegmap, as Symantec’s Threat Hunter Team reports, is malicious code hiding in a familiar albeit old logo for Microsoft’s Windows operating system. The logo image is being hosted on a GitHub repository, a free, trusted service which is far less likely to raise a red flag compared to traditional command and control (C&C) servers used by cyber-criminals. When a DLL loader downloads the aforementioned logo on a compromised system, the payload hidden within the image file is decrypted with an XOR key. If successfully executed, the Backdoor.Stegmap trojan can open a fully featured backdoor capable of creating files and directories, starting or killing processes, modifying the Windows registry, downloading new executables and more.
According to Symantec researchers, the Backdoor.Stegmap-based campaign carried by the Witchetty cyber-espionage group (also known as LookingFrog) has been active since February 2022, targeting two Middle East governments and the stock exchange of an African country. The attackers exploited already known vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, CVE-2021-27065) to install web shells on public-facing servers to steal credentials, move across networks and install malware on other computers. Witchetty first came under the spotlight in April 2022, when ESET identified the threat as one of the sub-groups of TA410, a cyber-espionage operation linked to the state-sponsored Chinese group known as Cicada/APT10. Equipped with a rich toolset of growing malware features, Witchetty is known for targeting governments, diplomatic missions, charities and industry organizations. The Backdoor.Stegmap steganography trojan is indeed a recent addition to the aforementioned toolset, while new tools employed by the group include a custom proxy utility, a port scanner and a “persistence utility” that adds itself to the auto-start section of the registry hidden behind the “NVIDIA display core component” moniker. Symantec says Witchetty has shown the ability to “continually refine and refresh its toolset in order to compromise targets of interest” in order to maintain a long-term, persistent presence in the affected organizations.