Select Page

An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.

Broadcom’s Symantec Threat Hunter Team attributed the updated tooling to a hacking group it tracks under the name Witchetty, which is also known as LookingFrog, a subgroup operating under the TA410 umbrella.

Intrusions involving TA410 – which is believed to share connections with a Chinese threat group known as APT10 (aka Cicada, Stone Panda, or TA429) – primarily feature a modular implant called LookBack.

Symantec’s latest analysis of attacks between February and September 2022, during which the group targeted the governments of two Middle Eastern countries and the stock exchange of an African nation, highlights the use of another backdoor dubbed Stegmap.

The new malware leverages steganography – a technique used to embed a message (in this case, malware) in a non-secret document – to extract malicious code from a bitmap image of an old Microsoft Windows logo hosted on a GitHub repository.

images from Hacker News