Security researchers at Symantec have discovered a new campaign by the threat actor know as Witchetty. In this campaign, the threat actor employed several new tools including a new backdoor dubbed “Stegmap”, which leverages steganography to hide its payload within a bitmap image hosted on GitHub. The payload is decrypted using an XOR key once downloaded. Steganography is the act of hiding malicious code within a benign-looking image, text, or audio file. In this case, the image file it is hidden in is an old Windows Logo. Disguising the payload in this fashion allows the attackers to host the innocuous looking image on a free, trusted service, which allows the group a greater level of evasion as there is no communication with suspicious Command and Control servers. The Stegmap payload has numerous features such as process execution, registry key creation/deletion, directory creation/deletion, and the ability to download files from remote hosts, among other capabilities.
Other new tools include:
- A custom proxy utility that allows the infected host to act as the server and the C2 server to act as the client instead of the other way around
- A custom port scanner
- A custom persistence utility that adds itself to autostart in the registry as “NVIDIA display core component”
The attackers also exploited the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities. This group is thought to be a sub-group of TA410, a cyber-espionage group with links to APT10. This campaign lasted between February and September 2022 and targeted two governments in the Middle East and a stock exchange in an African country.