>
Looks like even the iconic Windows logo isn’t safe from malware (opens in new tab) not anymore, as some cyber criminals managed to hide malicious code in it.
Symantec cybersecurity experts claim to have spotted such a campaign using a process to hide malicious code in otherwise harmless images known as steganography.
It is usually done to avoid detection by antivirus programs as such solutions rarely detect images as malicious.
Going after governments
In this particular case, the group engaged in steganography attacks is called Witchetty, a well-known threat actor allegedly closely linked to Chinese state-sponsored actor Cicada (AKA APT10), and is also considered part of the TA410 organization that has targeted U.S. energy suppliers in the past.
The group began its final campaign in February 2022, targeting at least two governments in the Middle East.
In addition, an attack on a stock exchange in Africa would still be active. Witchetty used steganography attacks to hide an XOR-coded backdoor, which was hosted on a cloud service, minimizing the chance of detection. Drop web shells on vulnerable endpoints (opens in new tab)The attackers exploited known Microsoft Exchange ProxyShell first-access vulnerabilities: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065.
“Disguising the payload in this way allowed the attackers to host it on a free, trusted service,” Symantec said. “Downloads from trusted hosts like GitHub cause far fewer red flags than downloads from an attacker-controlled command-and-control (C&C) server.”
The XOR-encoded backdoor allows threat actors to do a number of things, including tampering with files and folders, running and terminating processes, modifying the Windows registry, downloading additional malware, stealing documents and turning the compromised endpoint into a C2 server.
The last time we heard from Cicada was in April 2022, when researchers reported that the group had misused the popular VLC media player to spread malware and target government agencies and adjacent organizations in the US, Canada, Hong Kong, Turkey, Israel, India. to spy on. Montenegro and Italy.
Through: BleepingComputer (opens in new tab)