Security researchers at Symantec have discovered a new campaign by the threat actor know as Witchetty. In this campaign, the threat actor employed several new tools including a new backdoor dubbed “Stegmap”, which leverages steganography to hide its payload within a bitmap image hosted on GitHub. The payload is decrypted using an XOR key once downloaded. Steganography is the act of hiding malicious code within a benign-looking image, text, or audio file. In this case, the image file it is hidden in is an old Windows Logo. Disguising the payload in this fashion allows the attackers to host the innocuous looking image on a free, trusted service, which allows the group a greater level of evasion as there is no communication with suspicious Command and Control servers. The Stegmap payload has numerous features such as process execution, registry key creation/deletion, directory creation/deletion, and the ability to download files from remote hosts, among other capabilities.
Other new tools include:
- A custom proxy utility that allows the infected host to act as the server and the C2 server to act as the client instead of the other way around
- A custom port scanner
- A custom persistence utility that adds itself to autostart in the registry as “NVIDIA display core component”
The attackers also exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities. This group is thought to be a sub-group of TA410, a cyber-espionage group with links to APT10. This campaign lasted between February and September 2022 and targeted two governments in the Middle East and a stock exchange in an African country.
The tools seen by this group demonstrate the countless techniques that threat actors will employ to evade detection. While rarely seen in the wild, steganography is an effective technique to hide malicious payloads within innocuous looking files, which may be why it is rarely seen – because it remains undetected. While it may be somewhat difficult, or almost impossible to detect the file itself using a signature-based detection, it is still possible to detect in heuristic-based detections. For example, one possible mitigation is to detect an image file spawning another process. However, the struggle with detecting files such as these indicate the need of having detection coverage for the entire attack chain, rather than just malware-specific detections.