The threat hunter team at Broadcom’s Symantec has issued an advisory, revealing that a Chinese cyberespionage group, also known as Witchetty and LookingFrog, is targeting entities in Africa and the Middle East using an updated toolset.
The group was first discovered in April 2022 by ESET. Its activities are characterized by using a first-stage backdoor (X4) and a second-stage payload (LookBack).
Advisory Reveals Attack Tactics of Witchetty
According to Symantec’s report, Witchetty is associated with a Chinese APT group Cicada, aka Stone Panda, and APT10, while its connection with TA410 is also being reported. This group was previously linked to targeted attacks against US energy firms.
The group is continuously evolving its toolset. It currently uses a steganographic technique for hiding a backdoor (Backdoor.Stegmap) in the MS Windows logo and targets governments in the Middle East.
Although not new, this is a rare technique where malware is hidden inside an image. The trojan can perform various functions, including removing and creating directories, manipulating files, launching/terminating processes, running/downloading executables, enumerating and killing processes, and stealing documents. It can also create, read, and delete registry keys.
Earlier this year, Cicada was targeting Japanese entities, but now it seems to have expanded its target list to diverse regions, including North America, Asia, and Europe.
- Attackers hide Mac malware in ad images
- Hacker found using Twitter memes to spread malware
- Infected WAV files install malware & cryptominers on PCs
- Chinese Hackers Distributing Malware in SMS Bomber Tool
- GoogleUserContent CDN Hosting Images Infected with Malware
The infection chain entails using a DLL loader to fetch the GitHub bitmap file, a Microsoft Windows logo with malicious code hidden inside. This technique of hiding the payload helps the attackers host it on trusted, free services such as GitHub.
Witchetty targeted two Middle Eastern countries’ governments between February and September 2022, as well as an African country’s stock exchange. The group exploited the ProxyShell and ProxyLogon vulnerabilities, tracked as:
According to Broadcom’s blog post, attackers install web shells on publicly exposed servers before stealing credentials and achieving lateral movement across the network.
They also installed malware on computers in an attempt to steal credentials via memory dumps, deploying web shells and backdoors, execution of commands, backdoor deployment, and installing custom tools. This tactic allows it an opportunity to infiltrate organizational networks and custom tools with other living-off-the-land tactics lets it maintain a long-term persistence in targeted organizations.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest.”Symantec