Print this page
Published in News

Witchetty hackers hide backdoor malware in a Windows logo

by on03 October 2022


Symantec warns of new Chinese hacking campaign

The 'Witchetty' hacking group, which uses steganography to hide a backdoor malware in a Windows logo.

Symantec reports that the threat group is operating a new cyberespionage campaign launched in February 2022 that targeted two governments in the Middle East and a stock exchange in Africa.

The hackers refreshed their toolkit to target different vulnerabilities and used steganography to hide their malicious payload from antivirus software.

For those who came in late steganography is the act of hiding data within other non-secret, public information or computer files, such as an image, to evade detection. Symantec found Witchetty is using steganography to hide an XOR-encrypted backdoor malware in an old Windows logo bitmap image.

The file is hosted on a trusted cloud service instead of the threat actor's command and control (C2) server, so the chances of raising security alarms while fetching it are minimised.

The attack begins with the threat actors gaining initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop webshells on vulnerable servers.

Witchetty uses standard utilities like Mimikatzand to dump credentials from LSASS and abuses "lolbins" on the host, like CMD, WMIC, and PowerShell.

The hackers rely on exploiting last year's vulnerabilities to breach the target network, taking advantage of the poor administration of publicly exposed servers so if you want to fight it off upgrade your system.

 

Last modified on 03 October 2022
Rate this item
(1 Vote)