The threat hunter team at Broadcom’s Symantec has published an alert showing that Chinabacked Witchetty and LookingFrog hacker groups are employing enhanced toolsets to target entities in Africa and the Middle East.
ESET found the organization for the first time in April 2022. Its operations are distinguished by using a first-stage backdoor (X4) and a second-stage payload (LookBack).
Chinabacked Witchetty attack tactics revealed in Symantec Advisory
According to Symantec’s analysis, Witchetty is linked to the Chinese APT organization Cicada, also known as Stone Panda, and APT10, as well as TA410. This organization has already been linked to targeted assaults on US energy companies.
The group’s toolkit is constantly developing. It presently employs a steganographic technique to conceal a backdoor (Backdoor.Stegmap) under the Microsoft Windows logo and targets Middle Eastern countries.
Although not novel, this is an unusual approach in which a virus is concealed within a picture. The virus may remove and create folders, manipulate files, launch/terminate processes, run/download executables, enumerate and kill processes, and steal data, among other things. It also has the ability to create, read, and remove registry keys.
Cicada was targeting Japanese organizations earlier this year, but it now appears to have expanded its target list to include North America, Asia, and Europe.
“A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.” reads the analysis published by Broadcom’s Symantec Threat Hunter researchers. “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.
Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest. Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations.”
Specifics of the Attack
The infection chain includes the use of a DLL loader to get the GitHub bitmap file, which is a Microsoft Windows logo with malicious code embedded inside. This method of concealing the payload enables attackers to host it on trustworthy, free services such as GitHub.
Between February and September 2022, Witchetty attacked the administrations of two Middle Eastern countries, as well as the stock exchange of an African country. The group took use of the ProxyShell and ProxyLogon vulnerabilities, which were identified as CVE-2021-31207, CVE-2021-34473, CVE-2021-34523, CVE-2021-26855 and CVE-2021-27065.
According to Broadcom’s blog post, attackers install web shells on publicly accessible computers before obtaining credentials and gaining lateral network movement.
They also placed malware on computers in an attempt to steal passwords using memory dumps, the deployment of web shells and backdoors, command execution, backdoor deployment, and the installation of bespoke tools. This strategy allows it to infiltrate organizational networks, and the combination of tailored tools with other living-off-the-land strategies allows it to sustain long-term persistence in targeted organizations.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest,” Symantec says.
What is Symantec?
The American software corporation NortonLifeLock Inc., formerly Symantec Corporation, has its headquarters in Tempe, Arizona. The business offers services and software for cybersecurity. The Fortune 500 firm NortonLifeLock is a component of the S&P 500 stock market index.