Hack Group Witchetty Hides Malware in the Windows Logo

Malware in the Windows logo

Symantec researchers have discovered a malicious campaign by the hacker group Witchetty, which uses steganography to hide malware in an image with the Windows logo.

Let me remind you that we also wrote that Hackers hide MageCart skimmers in social media buttons.

Experts remind that the Witchetty hack group is associated with the Chinese group APT10 (aka Cicada). One of the latest cyber-espionage campaigns by cybercriminals began in February 2022 and targets governments in the Middle East, as well as the stock exchange in Africa. This campaign is still ongoing.

Experts noticed that this time the hackers have expanded their malicious toolkit and began to use steganography in attacks: they hide the XOR-encrypted backdoor in the old bitmap of the Windows logo.

Malware in the Windows logo
Image in which hackers hid malware

Thanks to this disguise, the file with the backdoor is placed in an unnamed cloud service, and not on the group’s control server, since security solutions do not detect a malicious payload in it.

Downloads from trusted hosts such as GitHub are much less likely to cause alarms than downloads from a C&C server controlled by an attacker.experts say.

Witchetty attacks begin with attackers gaining access to the victim’s network using the ProxyShell (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities), which is used to inject web shells on vulnerable servers.

The attackers then download and extract the backdoor hidden in the image file, which allows:

  1. perform actions on files and directories;
  2. start, enumerate or kill processes;
  3. modify the Windows registry;
  4. download additional payloads;
  5. steal files.

Witchetty also uses a special proxy utility that forces the infected computer to act “as a server and connects to the C&C server acting as a client, and not vice versa.”

Other culprit tools include a custom port scanner and a custom system pinning utility that adds itself to the registry under the guise of an NVIDIA display core component.

By Vladimir Krasnogolovy

Vladimir is a technical specialist who loves giving qualified advices and tips on GridinSoft's products. He's available 24/7 to assist you in any question regarding internet security.

Leave a comment

Your email address will not be published. Required fields are marked *