Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.
The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image.
“Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files,” researchers at Symantec’s Threat Hunter Team wrote this week. “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”
Looks harmless, although sysadmins may disagree … The pic used for the payload. Source: Symantec
From what we can tell, Witchetty first compromises a network, getting into one or more systems, then downloads this image from, say, a repository on GitHub, unpacks the spyware within it, and runs it.
Hiding the payload in this way, and placing the file somewhere innocuous online, is a big advantage in evading security software, as “downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server,” the team said.
Thus, fetching this pic after gaining initial access is less likely to set off internal alarms.
In April analysts at European cybersecurity shop ESET documented Witchetty – which they called LookingFrog at the time – as one of three subgroups within TA410, an espionage group with loose ties to the APT10 (aka Cicada) gang known for targeting enterprises in the US utility sector and diplomatic