A group of hackers called Witchetty (also known as LookingFrog, Cicada, menuPass, Stone Panda, Potassium, APT10 or even Red Apollo) is suspected of attacking Middle Eastern government agencies and the stock market. an African country using a technique that is certainly already known, but not very used: steganography.
Steganography is a field that aims to embed a malicious program in media such as an image or even in a video. The group of hackers would use software named Stegmap that would allow them to download a old windows logo containing a code allowing them to execute a program on the computer of its victims and to steal data from them. According to experts, the use of this technique constitutes a real evolution of the arsenal of pirates.
Witchetty Attacks Government Agencies Using Windows Logo
According to BleepingComputer, Witchetty would use this type of attack since last February and would mainly target governments and other political organizations. Witchetty’s infiltration arsenal is constantly evolving, and the imagery attack allegedly took advantage of ProxyShell and ProxyLogon security vulnerabilities in Microsoft Exchange servers. After using Stegmap to install a dynamic library (DLL), the latter uploads an innocuous-looking image, in this case the old Windows logo, to Github, a trusted site that an antivirus will not pay attention to. The malicious code contained in this logo is decrypted and gives a almost complete control of the computer targeted at hackers.
Note that Witchetty is a past master in the art of exploiting multimedia to steal information, since it is also attributed cyberattacks perpetrated through VLC, the famous free multimedia player. These attacks targeted even more targets, as victims of this campaign are said to have been recorded in at least eight countries. These were most often companies, governments or even associations, with individuals having little interest in a group reputed to be very close to the Chinese government.
Source: Symantec