Oct 03, 2022 15:00:00

A terrible trick of hiding and infecting malware in the 'Windows logo image' hosted on GitHub was discovered

by

Isriya Paireepairit

Malware has been found in Android and iPhone images for some time now, but a new and terrifying technique has been found to hide a backdoor in the familiar Windows logo mark. Security researchers are probing that cybercriminals with close ties to the Chinese government-backed hacking group APT10 are likely responsible.

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East | Broadcom Software Blogs
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/witchetty-steganography-espionage

Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo
https://thehackernews.com/2022/09/cyber-attacks-against-middle-east.html

Hacking group hides backdoor malware inside Windows logo image
https://www.bleepingcomputer.com/news/security/hacking-group-hides-backdoor-malware-inside-windows-logo-image/

Security company Symantec's Threat Hunter Team reported on September 29, 2022 that it was confirmed that the hacker group `` Witchetty (LookingFrog) '' had installed malware in the Windows logo.

In the attack identified this time, a technique called 'steganography ' that hides malicious code in image data etc. was used to insert a payload into a bitmap image and send malicious code as a seemingly harmless image file.

Below is an image of the actual Windows logo used in the attack. The victim downloaded this bitmap file from a GitHub repository with a DLL loader , which contained an XOR -encrypted payload.

bySymantec

The malware 'Stegmap' that has infiltrated the victim's network in this way has a wide range of functions such as downloading and executing executable files, manipulating files, terminating processes, and rewriting the Windows registry. acted as a door.

Regarding the method of embedding malware in images and distributing it via GitHub, Symantec said, ``Downloading from a trusted host like GitHub is much more likely to be vigilant than an attacker's

command and control (C & C) server . It will be low,' he said.

According to the announcement, Witchetty, who carried out this attack, is one of three teams under the umbrella of ' TA410 ' which has a connection with the Chinese hacker group 'APT10'. Witchetty has been conducting a spy campaign targeting the governments of two Middle Eastern countries and African stock exchanges since February 2022, and it is reported that it is still in progress at the time of writing the article.

Witchetty reportedly used two malware groups when discovered by ESET in April 2022: a first-stage backdoor known as 'X4' and a second-stage payload known as 'LookBack'. it was done. Witchetty still uses LookBack at the time of writing, but this report confirmed that Stegmap was added to the toolset as a new malware.

In this regard, Symantec said, 'Witchetty has demonstrated its ability to continually refine and update its toolset to attack its targets. ) property to gain entry into an organization and skillfully use custom tools to maintain a long-term and persistent presence within the target organization.”