The big picture: Backdoor.Stegmap is a potent backdoor hidden in a plain Windows logo image file using steganography-based encryption. Chinese cybercriminals work hard using new and old techniques to permanently compromise high-level government and diplomatic targets.
Malware-based campaigns are becoming increasingly complex threats that can target multiple devices and operating systems. New techniques and “tricks” are constantly being added, while already known solutions keep popping up. While neither a novel nor a popular technique to hide data in images, steganography is actually being used in a new espionage campaign by a group called Witchetty.
Backdoor.Stegmap’s hallmark, according to Symantec’s Threat Hunter Team, is malicious code hiding in a well-known, albeit old, logo for Microsoft’s Windows operating system. The logo image is hosted on a GitHub repository, a free, trusted service that is far less likely to raise a red flag compared to traditional command and control (C&C) servers used by cybercriminals.
When a DLL loader downloads the above logo onto a compromised system, the payload hidden in the image file is decrypted using an XOR key. If executed successfully, the Backdoor.Stegmap Trojan can open a fully-functional backdoor that can create files and directories, start or kill processes, modify the Windows registry, download new executable files, and more.
According to Symantec researchers, the Backdoor.Stegmap-based campaign by cyberspy group Witchetty (aka LookingFrog) has been active since February 2022, targeting two Middle Eastern governments and an African country’s stock exchange.
The attackers exploited already known vulnerabilities (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, CVE-2021-27065) to install web shells on publicly accessible servers and steal credentials. move across networks and install malware on other computers.
Witchetty first came into the limelight in April 2022 when ESET identified the threat as one of the subgroups of TA410, a cyberespionage operation linked to the state-sponsored Chinese group called Cicada/APT10. Armed with a rich toolset with growing malware capabilities, Witchetty has been known to target governments, diplomatic missions, charities, and industry organizations.
The Backdoor.Stegmap steganography Trojan is indeed a new addition to the toolset mentioned above, while the new tools used by the group include a custom proxy utility, a port scanner and a “persistence utility” which adds itself to the autostart section of the registry hides behind the moniker “NVIDIA Display Core Component”.
According to Symantec, Witchetty has demonstrated the ability to “continuously refine and update its toolset to compromise targets of interest” to maintain a long-term, consistent presence in affected organizations.
https://www.techspot.com/news/96163-backdoorstegmap-malware-hiding-plain-microsoft-windows-logo.html Backdoor.Stegmap, malware that hides in a simple Microsoft Windows logo