New tools target governments in Middle East?
Dave Bittner: Hello everyone and welcome to the CyberWire's "Research Saturday." I'm Dave Bittner, and this is our weekly conversation with researchers and analysts, tracking down the threats and vulnerabilities, solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
Dick O'brien: So Witchetty is our name for a group that was only fairly recently defined or outlined.
Dave Bittner: That's Dick O'Brien. He's a principal editor at Symantec. The research we're discussing today is titled "Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East."
Dick O'brien: There was a bit of research put out by our peers in ESET back in April of this year. They were looking at a kind of broad espionage operation that's known as TA410. And their conclusion was that it was actually three distinct, different actors. They called them LookingFrog, FlowingFrog and JollyFrog. And Witchetty is our name for one of those actors, which is LookingFrog. This kind of, I guess, reassessment of groups is not that unusual. It frequently happens with espionage groups from that part of the world. It's quite murky trying to get a picture of who is the distinct threat group. You'll see an awful lot of shared use of tools and infrastructure. So it can be often very difficult to decide where one group starts and another group ends, so to speak. And I think that's probably because, I guess, there's a different kind of culture of espionage operations there. I think this seems to be - they use a lot more contractors, and people move around a lot and sometimes kind of seem to work for more than one operation. So, yeah, it's pretty murky.
Dick O'brien: So anyway, Witchetty was kind of - was identified as a distinct actor back in April of this year. And their calling card is really two pieces of malware, a first stage backdoor known as X4 and then a second stage payload known as LookBack. So ESET, they said this group targets governments and diplomatic missions and charities and some industrial companies, and that's largely in-line in what we saw, what we have seen, you know? We've seen kind of more recent activity of this, and they seem to be continuing to use, you know, much the same tool set, although we have some new discoveries, but also kind of that the profile of victims is quite similar as well.
Dave Bittner: Well, let's go through some of the new things that you all have discovered here. I mean, there's an interesting piece that uses steganography, yes?
Dick O'brien: Yeah. Yeah. I mean, we discovered a couple of new tools that they're using. I guess the most interesting one is a backdoor that we haven't been seeing before. We call it stegmap. I guess it's a rarely seen technique, steganography. So that's what makes it so interesting. So I guess a lot of listeners may have heard of steganography, but for those who haven't, it's a technique that involves hiding something, a message within an image. And I think it first came into the news nearly 20 years ago when there was - there were some reports that Al-Qaida was using it. They were hiding messages in images and sharing them on public forums. And it was kind of a covert way of communicating for them. But in this case, anyway, the thing that was hidden in the image was the code for this backdoor. So how it works was that a kind of innocuous looking image file - it was a bitmap image of, I think it's an old-world Windows logo. I think it's, like, from '98 or 2000 or something like that. And it was hosted on GitHub.
Dick O'brien: So what happened was - is that there was a loader for this tool, and it would download the bitmap image from GitHub. And then it would decrypt the payload from the image. It was encrypted with an XOR key and then loaded up. So that's how it worked. Now, the functionality of the malware, you know, it's a pretty standard backdoor. You know, the technique is unusual, but, like, the functionality is quite - you know, it's what you'd see, you know, this - where they can copy files, delete files, start up new processes, kill processes, things like that.
Dave Bittner: Yeah. I have to say that the use of the Windows logo strikes me as being somewhat clever in that it's the type of thing that if you were to examine it, I think it'd be easy to say, well, there's nothing unusual about that. It seems like the kind of thing that in the routine could be downloaded as part of something else or - you know, it's such a ubiquitous image that it really (inaudible) draw attention to itself.
Dick O'brien: Yeah. And I think you're kind of touching on why they use this technique, you know, because there's lots of ways of obfuscating your malware or hiding the code. What this allows them to do is host the payload on a public service like GitHub. So if somebody uploads a bitmap image to GitHub, it doesn't raise any suspicions, you know, but a heavily obfuscated executable or whatever, that might. But then - so they can put it on GitHub. But then, you know, if a computer is then calling something from GitHub, that is less likely to raise red flags than if they're downloading a file from hitherto unseen address, you know? So it's - I think that's the main reason they use it. It's less to kind of - for the - you know, the code obfuscation and more for their ability to kind of host something in plain sight and not raise any red flags in terms of downloading it.
Dick O'brien: Well, one of the things that you all outline here is the attack chain for Witchetty. Can you kind of give us highlights here and take us through exactly how it works?
Dick O'brien: Yeah, we gave a fairly detailed attack chain. Now, if anybody's interested in it, they can look at the blog because it is - there's a lot of commands in it. But it just shows how this group operates and how their attack unfolds. So it's one of the attacks that we saw, and it's the one where we kind of uncovered the most detail. And that's why we used it. All of the attacks we saw, they either exploit ProxyShell or ProxyLogon, which are vulnerabilities in Microsoft Exchange Server. This is very much the infection vector du jour at the moment for a lot of threat actors. They like these vulnerabilities because, you know, Exchange is usually a public-facing server.
Dick O'brien: So they can try and scan for vulnerable servers where people haven't patched and hit them up. That provided the foothold. And then if - I'm not going to go through each single step. But you will see if you read the blog where they go for there. Once they get onto a server, you see them trying to get credentials using various credential jumping techniques, then they establish a persistent mechanism and then after a little while, it takes them - you know, they're not in any hurry, actually. They start moving across the network, and you see them popping up on other machines. Presumably all of those credentials that they harvested in their attack ammunition machine kind of gave them some, you know, pathway onto other machines.
Dick O'brien: So the attack began, I think - let me see, it was in February of this year. And they managed to stay on that network until the beginning of August. So that is quite a long period of time. You would anticipate that they managed to exfiltrate some good information in that time period.
Dave Bittner: To what degree do you think that they're being stealthy here and to what degree was perhaps the victim not as attentive as they should have been?
Dick O'brien: I think it's a bit of each, to be honest, Dave. The fact that they're able to exploit known vulnerabilities in order to get onto a network always does point to something - a network that isn't completely locked down, if you know what I mean.
Dave Bittner: Yeah.
Dick O'brien: But, you know, having said that, they're a competent actor. They do rely a lot on living-off-the-land techniques. They know their PowerShell and things like that, you know, so there isn't, like - you know, there is malware involved, but that's only, you know, a very small subset of the malicious activity that we've seen.
Dave Bittner: What are your recommendations then in terms of folks protecting themselves against this?
Dick O'brien: The recommendations to - that apply to, I guess, all targeted or espionage attacks tend to apply to this, you know? You know, they start with the infection vector. And as I mentioned earlier, exploitation vulnerabilities on public-facing servers is huge at the moment. And if you want to prioritize your patching, actually CISA publish a good list of - they call it their known exploitation vulnerabilities catalog. So if you want to prioritize which system needs to be up-to-date and make sure of this, you can - you check out that because it's only vulnerabilities that are being actively exploited at the moment that are listed on it.
Dick O'brien: And then, you know, the second thing is just consider how these attacks unfold. Credential theft is the - one of the essential steps that are involved. And you should try and make that as difficult as possible for attackers. So don't - you regularly refresh your admin credentials. You implement two-factor authentication across the board. You know, just make it sort of the case that if somebody can dump a plaintext username and password, you know, that isn't going to be enough for them to log onto another computer. And then of course, you know, you should always use a multilayered security solution, you know, that includes email security, endpoint, EDR, things like that. I think that's the quick sum up anyway.
Dave Bittner: Yeah. I mean, it's the standard stuff, right? There's nothing terribly exotic on that list, but it's all necessary. And yet here we are talking about them, right?
Dick O'brien: Yeah. Yeah. You know, I mean, as - like, some organizations may be better resourced than others, or awareness might not be as high.
Dave Bittner: Yeah.
Dick O'brien: But, you know, we'll try and keep getting the message out.
Dave Bittner: Our thanks to Dick O'Brien from Symantec's threat hunter team for joining us. The research is titled "Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East." We'll have a link in the show notes.
Dave Bittner: The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Rachel Gelfand, Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.