A group of hackers known by multiple names uses an old logo to trick its victims. Although this technique is not new, it is rarely used by international hacker groups.
A group of hackers called Witchetty (also known as LookingFrog, Cicada, menuPass, Stone Panda, Potassium, APT10 or even Red Apollo) is suspected of attacking Middle Eastern government agencies and the stock market. an African country using a technique that is certainly already known, but not very used: steganography.
Steganography is a field that aims to embed a malicious program in media such as an image or even in a video. The group of hackers would use software named Stegmap that would allow them to download a old windows logo containing a code allowing them to execute a program on the computer of its victims and to steal data from them. According to experts, the use of this technique constitutes a real evolution of the arsenal of hackers.
Witchetty Attacks Government Agencies Using Windows Logo
According to BleepingComputer, Witchetty would use this type of attack since last February and would mainly target governments and other political organizations. Witchetty’s infiltration arsenal is constantly evolving, and the attack through images would have taken advantage of the ProxyShell and ProxyLogon security flaws in Microsoft Exchange servers. After using Stegmap to install a dynamic library (DLL), the latter uploads an innocuous-looking image, in this case the old Windows logo, to Github, a trusted site that an antivirus will not pay attention to. The malicious code contained in this logo is decrypted and gives a almost complete control of the computer targeted at hackers.
Note that Witchetty is a past master in the art of exploiting multimedia to steal information, since it is also attributed cyberattacks perpetrated through VLC, the famous free multimedia player. These attacks targeted even more targets, as victims of this campaign are said to have been recorded in at least eight countries. These were most often businesses, governments or even associations, with individuals having little interest in a group reputed to be very close to the Chinese government.
Source : Symantec
