I don’t doubt that some people hate Windows to the point where they think its logo is evil. What no one expects is for a hacker group to take this impression seriously. The members of witchetty hid a trojan inside an old operating system logo. As? Through steganography.
The idea is sophisticated, but not unfamiliar. THE Steganography is a technique that hides information within an image, video or other file type. Often this “art” is used to make it difficult to track the message being sent.
That’s the case here. Symantec reports that Witchetty has entered a Trojan horse (backdoor) in a bitmap image of the logo Microsoft used in Windows 7. The malware was hidden there using an XOR encryption algorithm, which follows specific principles of Boolean logic.
Images do not usually raise suspicion in security systems, unless they are malware renamed to such formats. That’s why the steganography trick can work. There is malicious code hidden there, but the image is still true.
However, the attack does not start with the image itself. In fact, hackers exploit at least two sets of known flaws in Microsoft Exchange — ProxyLogon and ProxyShell — to break into vulnerable servers.
The action is performed by two backdoors: the X4 in the first stage; the Looback in the second. The latter has a DLL loader that takes care of downloading the image from a repository on GitHub, which is a trusted host.
There may be other sources as or more reliable. That’s because since the malware is hidden in an actual bitmap, these services cannot detect it, at least not easily.
After the file is downloaded, the extraction of Backdoor.Stegmap, as the malware is called, takes place from a decryption done with an XOR key. From there, the threat can perform a series of actions. Copying or deleting files, starting processes and downloading other malicious payloads are among them.
Then comes the espionage
The procedures to be performed depend on the target and objective. According to Symantec, the Witchetty (aka LookingFrog) performs espionage. This year, the group would have carried out actions against governments of two Middle Eastern countries and a stock exchange in Africa, just to give recent examples.
There is a suspicion that the Witchetty has links with the APT10 hacker group which, in turn, would have ties to the Chinese government.
Detecting a malicious payload hidden via steganography is difficult, but the malicious action can be blocked through intruder scanning systems, for example.
But prevention remains the best medicine. Simple measures may suffice, such as installing software updates. To give you an idea, the aforementioned vulnerabilities in Exchange were patched last year by Microsoft.
Oh, and don’t worry. The image that opens this text does not hide anything. The guarantee is only yo.