"Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo"

In its attacks against Middle Eastern governments, an espionage-focused threat actor has been observed using a steganographic tactic to hide a previously unknown backdoor in a Windows logo. Broadcom's Symantec Threat Hunter Team attributed the updated tooling to the Witchetty hacking group, also known as LookingFrog, a subgroup operating under the TA410 umbrella. Intrusions involving TA410, which is suspected of having ties to the Chinese threat group APT10, also known as Cicada, Stone Panda, or TA429, primarily use a modular implant called LookBack. Symantec's recent analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and an African country's stock exchange, reveals the use of a new backdoor known as Stegmap. The new malware practices steganography, a technique used to embed a message in a non-secret document, to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository. According to the researchers, hiding the payload in this way allowed the attackers to host it on a free, trusted service. Downloads from reputable hosts like GitHub are less likely to raise suspicion than downloads from an attacker-controlled command-and-control (C&C) server. Stegmap has many features that enable it to perform file manipulation operations, download and run executables, terminate processes, and modify the Windows Registry. Attacks that lead to the deployment of Stegmap leverage Exchange Server's ProxyLogon and ProxyShell vulnerabilities to drop the China Chopper web shell, which is then used to perform credential theft and lateral movement before launching the LookBack malware. This article continues to discuss Witchetty's updated tooling involving a steganographic trick in attacks against Middle Eastern governments.

THN reports "Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo"