A group of hackers has been found using an old Windows logo to help distribute malware to government targets.
As The Register reports(Opens in a new window), the Witchetty espionage group (also known as LookingFrog) uses a range of tools to target governments, diplomatic missions, charities, and industrial/manufacturing organizations. Recently, Symantec’s Threat Hunter Team discovered(Opens in a new window) the group had started employing a new and “rarely seen” steganography technique, which hides malicious code within an image.
The image used by Witchetty is a bitmap of an old Windows logo, and the malicious code it carries is a backdoor Trojan (Backdoor.Stegmap) capable of executing a range of system commands. By disguising the malicious payload as an image, it’s possible to hide it in plain sight on a free and trusted service while avoiding detection as a security threat. In this case, Witchetty hosted the bitmap on GitHub.
The image is apparently downloaded from GitHub after a target has been compromised. Once stored within the network being attacked, the payload can be unpacked (“decrypted with an XOR key”) and used for further system infiltration. A successful attack allows Witchetty to “install web shells on public-facing servers.” After that, they can steal credentials and begin to install other pieces of malware inside an organization’s network.
Recommended by Our Editors
Symantec says Witchetty’s latest toolset including this steganography technique has already been used on two government agencies in the Middle East and a stock exchange in Africa. The group is viewed by Symantec as a capable threat actor that has “demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest.”
Like What You’re Reading?
Sign up for Security Watch newsletter for our top privacy and security stories delivered right to your inbox.