This article is more than 1 year old

Steganography alert: Backdoor spyware stashed in Microsoft logo

Now that's sticker shock

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.

The Witchetty gang used steganography to stash backdoor Windows malware – dubbed Backdoor.Stegmap – in the bitmap image.

"Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files," researchers at Symantec's Threat Hunter Team wrote this week. "Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service."


Looks harmless, although sysadmins may disagree ... The pic used for the payload. Source: Symantec

From what we can tell, Witchetty first compromises a network, getting into one or more systems, then downloads this image from, say, a repository on GitHub, unpacks the spyware within it, and runs it.

Hiding the payload in this way, and placing the file somewhere innocuous online, is a big advantage in evading security software, as "downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server," the team said.

Thus, fetching this pic after gaining initial access is less likely to set off internal alarms.

In April analysts at European cybersecurity shop ESET documented Witchetty – which they called LookingFrog at the time – as one of three subgroups within TA410, an espionage group with loose ties to the APT10 (aka Cicada) gang known for targeting enterprises in the US utility sector and diplomatic organizations in the Middle East and Africa.

APT10, also known as Red Apollo and Stone Panda, earlier this year ran a campaign against financial services firms in Taiwan. LookingFrog, FlowingFrog, and JollyFrog are the three subgroups of TA410, with LookingFrog focusing its efforts on the Middle East and a small part of Africa, according to ESET.

The use of Stegmap is part of a larger update of Witchetty's toolset, the Symantec researchers wrote. The group has been known to use a first-stage backdoor known as X4 and a second-stage payload called LookBack, which ESET said targets governments, diplomatic missions, charities, and industrial and manufacturing organizations.

Malware upgrades make for a more canny foe

Witchetty continues to use LookBack, but has added Stegmap and other malware to its arsenal. To bring Stegmap into a network, a DLL loader is run that downloads the bitmap file of the Windows logo from a GitHub repository. The payload is hiding in the bitmap file and is decrypted with an XOR operation and key.

The payload opens a backdoor to the outside world and can execute a range of commands issued to it by its masters, from copying, moving, or deleting files to removing a directory, starting a new process, or killing an existing one, and creating or deleting a Windows registry key.

The Symantec researchers wrote that Witchetty launched an espionage campaign against two Middle Eastern governments and a stock exchange in Africa using Stegmap. Initial access into a target's network is gained by exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange and installed malicious scripts on public-facing web servers. From that point, the attackers were able to steal login credentials from users, move laterally through the corporate network, and install Stegmap and other software nasties on computers.

Witchetty also makes use of Mimikatz, a port scanner, and other tools. This includes one that adds itself to autostart in the registry, being listed as "Nvidia display core component," to ensure the malicious code is run again on a reboot.

"Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest," the researchers wrote.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations." ®

More about


Send us news

Other stories you might like