Go to listing page

Witchetty Group Uses Steganography To Target Middle East Entities

Witchetty Group Uses Steganography To Target Middle East Entities
Cyberespionage group and a sub-group of the China-linked TA410 group (aka APT10), Witchetty, has been discovered using steganography in attacks against Middle East entities.

New tools and techniques

In its attacks, Witchetty used a new undocumented backdoor tracked as Backdoor.Stegmap, performing a rarely seen steganography technique.
  • The use of the steganography technique enables attackers to conceal the malicious payload in a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.
  • Other new custom tools used by the attackers include a proxy utility, a port scanner, and a persistence utility. 
  • In addition, experts observed many other tools and malware such as Plink, a keylogger, LSASS credential stealer, Mimikatz, China Chopper, and Korplug/PlugX loader.

Witchetty has been exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-26855) vulnerabilities in its attacks.

Attack targets

  • Witchetty’s attacks were broadly targeting governments, diplomatic missions, charities, and industrial/manufacturing organizations in the Middle East and Africa.
  • Between February and September 2022, Witchetty specifically launched attacks against the governments of two Middle Eastern countries and the stock exchange of an African nation.

Differences from the past

Witchetty (aka LookingFrog) was first observed by ESET researchers in April 2022, using a slightly different set of tools.
  • In April 2022, Witchetty was exploiting RCE vulnerabilities in popular server applications and making use of available exploit to gain control of unpatched servers.
  • Witchetty was earlier using a first-stage backdoor dubbed X4 and a second-stage modular malware known as LookBack, while now it has switched to the backdoor Trojan named Backdoor.Stegmap.

Summing up

In a short time span, Witchetty has demonstrated its abilities as a capable threat actor. The exploitation of vulnerabilities on public-facing servers, use of custom tools paired with adept use of living-off-the-land tactics make it a potential threat.
Cyware Publisher

Publisher

Cyware