Espionage group Witchetty has been seen using a backdoor Trojan that utilizes steganography, along with other new tools.
Witchetty espionage group uses updated toolkit.
The Symantec Threat Hunter Team, part of Broadcom Software, released a blog today detailing the Witchetty espionage group (also known as LookingFrog) and their updated toolset. Witchetty has been seen to be targeting the governments of two Middle Eastern countries, as well as the stock exchange for a nation in Africa.
Witchetty has been using the LookBack backdoor, but it appears new malware has been added to the group’s toolkit. A backdoor Trojan known as Backdoor.Stegmap has been seen in use, utilizing steganography: a technique in which malicious code is hidden in an image. It is explained by researchers that a DLL loader downloads a bitmap file appearing to be an old Microsoft logo from a GitHub repository. The payload is hidden within the file, and is decrypted with an XOR key. This method of disguising the payload allows for it to appear more trustworthy, as it comes from GitHub and not an attacker-controlled command-and-control server. The payload can create and remove directories, copy files, move files, and delete files, start a new process, download and run an executable and terminate this process, steal local files, enumerate and kill processes, and read, create and delete registry keys, as well as setting a registry key value.
Other new tools utilized by the group include a custom proxy utility, where the “infected computer acts as the server and connects to a C&C server acting as a client, instead of the other way around;” a custom port scanner, which scans the network ports in a subnet; and a custom persistence utility, which autostarts in the registry as “NVIDIA display core component.”
The Record by Recorded Future quotes Dick O’Brien, a member of the Symantec Threat Hunter team, saying “From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization.”
Symantec doesn't offer an attribution, but it does quote ESET's association of Witchetty with TA410, a group other researchers have associated with China's Ministry of State Security.