Identified as LookingFrog by ESET, the Witchetty cyber espionage group is a subgroup of TA410 that has close ties to the cyber espionage group APT10 (or Cicada). The latter would work with the support of China.
Cybersecurity researchers from the Symantec Threat Hunter team (Broadcom Software) discovered Witchetty attacks that took place between February and at least until September 2022. They targeted the governments of two countries in the Middle East and the stock market of an African country.
The attackers exploited the ProxyShell and ProxyLogon security vulnerabilities – which affected Microsoft Exchange Server – to deploy web shell on public servers. They may have been able to steal credentials, move laterally across computer networks, and install malware on other computers.
A trapped image hosted on GitHub
Following the compromise, the Witchetty group used a back door authorizing a whole set of commands: copying, moving or deleting files, creating or deleting a directory, launching a new process or stopping an existing process, creating or deleting a Windows registry key.
The backdoor was hidden in theimage of an old Windows logo. The image displayed as normal and the trapped file was hosted on GitHub.
” By disguising the payload this way, the attackers were able to host it on a free and reliable service. Downloads from trusted hosts like GitHub are much less likely to trigger alerts than downloads from a command-and-control server owned by attackers. “
According to security researchers, such a backdoor-type Trojan is a novelty in the arsenal available to the Witchetty group. It uses the technique of steganography.
If this technique of hiding data in a file is known, the researchers point out that it is rarely observed with malicious code hidden in an image.
In this case, their Stegmap tool and module takes advantage of steganography to extract its payload from a bitmap downloaded by a DLL loader from GitHub. The hidden payload in the file is decrypted with an XOR key.