Cybercriminals have apparently succeeded in embedding malware even into the familiar Windows logo.
Symantec’s cybersecurity researchers say they have uncovered one such campaign that use steganography, a technique for concealing dangerous code in seemingly innocuous photos.
Malicious photos are notoriously difficult to spot by antivirus software, therefore this is a common tactic.
Attacks against governments
Witchetty is a steganography group with ties to the Chinese state-sponsored actor Cicada (AKA APT10) and the TA410 gang, which has targeted U.S. energy suppliers.
In February of 2022, the group launched a new campaign with at least two governments in the Middle East as its targets.
It has also been reported that an attack on an African stock exchange is ongoing. To lessen the likelihood of detection, Witchetty deployed steganography techniques to conceal an XOR-encrypted backdoor hosted on a cloud service. The attackers gained initial access to the system by exploiting the following CVEs in Microsoft Exchange ProxyShell: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065.
Symantec explained that the attackers were able to use a free, reputable service because they were able to conceal their malicious code. The authors state, “Downloads from reputable hosts like GitHub are considerably less likely to raise red lights than downloads from an attacker-controlled command-and-control (C&C) server.”
Threat actors are able to perform a wide range of actions on the compromised endpoint thanks to the XOR-encrypted backdoor, including but not limited to: modifying files and folders; starting and stopping processes; running and terminating commands in the Windows Logo Registry; downloading and installing malware; stealing documents; and turning the endpoint into a command and control server.
- Low-code has the potential to supplant “standard” coding
- Protect your business from ransomware attacks
When we last left Cicada in April 2022, we learned that they were using the widely-used VLC video player to spread malware and spy on government agencies and allied organisations in the United States, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.