Malware found hiding in a Windows logo2022-10-03 16:44 by Daniela
Tags: malware, Windows, logo, Witchetty
An espionage-focused threat actor has been observed using a steganographic trick to conceal a previously undocumented backdoor in a Windows logo in its attacks against Middle Eastern governments.
Although not new, this is a rare technique where malware is hidden inside an image. The trojan can perform various functions, including removing and creating directories, manipulating files, launching/terminating processes, running/downloading executables, enumerating and killing processes, and stealing documents. It can also create, read, and delete registry keys.
The image used by Witchetty espionage group is a bitmap of an old Windows logo, and the malicious code it carries is a backdoor Trojan (Backdoor.Stegmap) capable of executing a range of system commands. By disguising the malicious payload as an image, it's possible to hide it in plain sight on a free and trusted service while avoiding detection as a security threat. In this case, Witchetty hosted the bitmap on GitHub.
Symantec says Witchetty's latest toolset including this steganography technique has already been used on two government agencies in the Middle East and a stock exchange in Africa. The group is viewed by Symantec as a capable threat actor that has "demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest."
Read more -here-