In a recent discovery made by Symantec’s security researchers, the Witchetty group has been found to be launching a malicious campaign that hides a backdoor behind the Windows logo using steganography.
Several countries in the Middle East and the African stock exchange are being targeted by this cyber-espionage campaign, which began in February 2022.
An old bitmap of the Windows logo is steganographed in the campaign to hide an XOR-encrypted malware.
ESET is the first security company to detect Witchetty, which was discovered in April 2022, and it is one of the sub-members of TA410 (aka Cicada).
There has been a steady update of the toolset of the Witchetty hacker group (aka LookingFrog), using new malware to attack targets across a variety of fields, mainly in the following regions:-
Middle East Africa
The group has recently begun using a number of new tools in their arsenal, including a backdoor Trojan called “Backdoor.Stegmap”.
According to a Symantec report, The malware that is encrypted with XOR is hosted on a trusted cloud service instead of hosted on the attacker’s C&C servers. Consequently, when the backdoor is retrieved and activated, the security tools will not be able to detect it.
Security tools are less likely to suspect a download from a trusted host, like GitHub, than a download from a C&C server, as a download from GitHub is more likely to be legitimate.
By using Microsoft Exchange ProxyShell and ProxyLogon bugs, attackers gain initial network access and then