WitChetty APT- Plants Backdoor in Windows logo

Researcher has spotted a threat actor dubbed Witchetty, using steganography to hide a previously undocumented backdoor in a Windows logo. The group used the backdoor in attacks against Middle Eastern governments.

The cyber espionage group Witchetty, experts argue it is a sub-group of the China-linked TA410 group. The group has been continuously improving its toolset by employing new malware in attacks aimed at governments, diplomatic missions, charities, and industrial/manufacturing organizations in the Middle East and Africa.

Witchetty operations were characterized by the use of two pieces of malware, a first-stage backdoor dubbed X4 and a second-stage modular malware known as LookBack.

The threat actors exploited the ProxyShell and ProxyLogon vulnerabilities to deploy web shells on public-facing servers before performing malicious actions, such as stealing credentials, moving laterally across networks, and drop addition malicious payload.

The group started using a previous undetected implant tracked as Backdoor.Stegmap in recent attacks, which relies on steganography to conceal the malicious payload in a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository. Hiding the malicious code within an image hosted on a trusted service allowed the attackers to evade detection.

Witchetty has ability to continually refine and refresh its toolset to compromise targets of interest. Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.

This research was documented by researchers from Symantec Threat Hunters Group

Indicators of Compromise

• 619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128      
• e597aae95dcaccc5677f78d38cd455fa06b74d271fef44bd514e7413772b5dcb        
• ce3293002a9681736a049301ca5ed6d696d0d46257576929efbb638545ecb78e   
• d3c62b920d3e5a6ea12ec59512fe26fb58eb5a19433b10dbe36201a3fc158998      
• 73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584       
• acc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b        
• f91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d        
• e7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38          
• 104873d692af36173cb39f8b46f2080c8ce1a1a52d60c69e1034e2033ba95f7a        
• 3b715112ac93e4cd5eaa7760b5670760fd25d0fec68f6a493624fa23c1c6e042        
• 8030d3472eac3c703ae918600a78a6a89800b157d76f333734ed1af5101d04ed    
• 17e60fc72b5398060138f72b3ecb3b09c37243e3b2905df94b7f5b44d6157806      
• 97ccac64927da6f46b3a775d2feb10c271b676e6b124e5bf84e9722c9dc4f093        
• 2d5daaae2fe2e7cd6c47ab4c5f824f670969d3fe88bfd3e4512967378c61924d        
• d8326470d5631e58409401fbadfc8157ee247c32b368fb4be70c2b8f8f88427e       
• a6cf19ab0dc0f0fb9ed4e6da13925a80d92c326a59131991eaf207d92bc61e13       
• 348d897e952c0f5872c35ea1b15eab802791b865d3c6ad3a27693680a28056cd    
• 1c5ad98a27551e6da3502cdc9ecb232f0d1a343b002c1760f350298fee8df202       
• dc13f67a5c52488709056f51a63f3fa1056db71616f83cbb5f1f1949395248be         
• 16bef09e16119f1754a6b4283e93ff7a17cfdd7c043c3ff05a3d41f128ead52e           
• d4e2106f9d5294c04ccc02d59882785d548caf4904c8c00446d906bbec2629b2      
• 31443b7329b1bdbcf0564e68406beabf2a30168fdcb7042bca8fb2998e3f11c5        
• c4e9267138cc030e9e87c15c7ff3a15f0a7ece3c39872f354e74842e871e8dc1         
• 87e507f8fa0f881744afa3a4d5790297bb942230a08134becc150fff511f295b           
• 59e3bbf97bc08814c56f9aeebaf890a168551d3d9f2ac3efdc8247ecc1732f73
• 1242d1372ab50a48ad9acec06b4f2a154b072dc494fa392e6647e736135fa636      
• f3ae5c2ee98257d0b53d90b62eee18427918af41cb44f8097aa7c3f257c8f7ae        
• 0b29be26d5caae7cf46eaf9345eea7d9fd7e808b3334e2a2043232d450a648ee     
• e27a24e4e99e623566d8a43eb7e562d27c28a7c746d533d36f56312e9a317c2b
• 681c22f79e5ec794858172378ed0285ef4da87f4f2dc8545bf304ce1f936529c          
• baa5c96ec2c51b601a6808428dbe0dc5e274e2ac65c38c465c5a74a2deb962c6      
• 74b1c46bfda5d2be5c674a6c53c2ad8f4f8d5c5b1cc010f17c6c538e117e013f          
• 5972621204b6503773bfaa58b6aadae073d94c781d89e49557e4d9ecfe4049ab     
• 59bfccc3a6f8e4f737c7b483ec13ba36e53f12af658529a9dd8b0df2b235c0de          
• d0992dce0769d6ac23076635c902b56daeda17bab5c30f764991c0844141f61f      
• 3859784f390174acc2eeabc82649f7e13f5db592978192b9243c38c254b7e614       
• 1b9e723c70f0a682d4f3a5a7d98a89697b8509a07c8986de041b05806c04d1f9      
• ee5f18e7dcb251a09da9650ac15723b0607282e5befc829d599005a322ac239d     
• 78718feee5ee5683827e5068d73922c8cd2cf297fb1818fb2440babb8d589609      
• e5f98a1b0d37a09260db033aa09d6829dc4788567beccda9b8fef7e6e3764848      
• 469ebdd2f6ecdce9558f3e546ef2814c5e1ad274dcd23bf4613964a0c685d889       
• 45549618493cf78facbfedba54e662408b7ebaabe3352119974b6500d11edc85      
• d273b4710800ede37617c3b6e3d58e67e45e6b54556dde468d18e48e006a79f2   
• d66a019a3cec95b6292215cf6fce4c0837f4b1de3c8af232d11ea291c87db698         
• 57e729442e8d6a06857f71538c0c11a5a49ff5d6136c05f20f391ae9eb95c2da         
• a7baecdbbf55825db281a417a9e11cd8d7b8c3ab5679d2474352091b431c6900    
• 1b75fe197f71809dea790f9d1357c0bb5e396f42dfcd4f966c64f5f71b39a865          
• de5206a50a0ef8c7f00955ffc2f5034c9d588f8736819387be9f2572666aaa4b          
• 084d4a46bb5b6a1ff7dfc2dd7be6f2023d608f5883e345a67fb98ed22188f1bd        
• 5.252.176[.]3     
• a.bigbluedc[.]com          
• 185.225.19[.]55
• 153.92.1[.]125   
• 194.180.174[.]254