It seems that even the iconic Windows logo is not safe from malware (opens in a new tab) right now, as some cyber criminals have successfully concealed malicious code in it.
Symantec cybersecurity experts say they noticed one such campaign that uses a process to hide malicious code in harmless images, also known as steganography.
Typically, this is to avoid detection by antivirus programs, as such solutions rarely detect images as malicious.
In this particular case, the group involved in steganographic attacks is called Witchetty, a known threat entity allegedly strongly associated with Chinese state actor Cicada (AKA APT10) and also considered part of the TA410 organization that has targeted US energy suppliers in the past.
The group launched its last campaign in February 2022 targeting at least two governments in the Middle East.
Moreover, the attack on the African stock market is reportedly still ongoing. Witchetty used steganographic attacks to hide the XOR-encrypted backdoor that was hosted on a cloud service, minimizing the chances of detection. To remove web shells on vulnerable endpoints (opens in a new tab)attackers used known Microsoft Exchange ProxyShell vulnerabilities to gain initial access: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065.
“Hiding the payload in this way allowed attackers to host it on a free, trusted service,” said Symantec. “Downloading from trusted hosts such as GitHub is much less likely to trigger red flags than downloading from an attacker-controlled C&C server.”
The encrypted XOR backdoor enables cyber criminals to perform many activities, including manipulating files and folders, starting and ending processes, modifying the Windows registry, downloading additional malware, stealing documents as well as turning the attacked endpoint into a C2 server.
We last heard of Cicada in April 2022 when researchers reported that the group had abused the popular VLC media player to spread malware and spy on government agencies and neighboring organizations located in the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro and Italy .
By: Hissing computer (opens in a new tab)