Updated on 2022-11-02
Kaspersky published two reports on Monday on LODEINFO, a backdoor part of the arsenal of the APT10 Chinese cyber-espionage group. Read more: APT10: Tracking down LODEINFO 2022, part II
Updated on 2022-11-01
The Chinese hacking group Cicada, aka APT10, was found abusing antivirus software to deploy a new variant of the LODEINFO malware against Japanese organizations. Read more: APT10: Tracking down LODEINFO 2022, part I
Updated on 2022-10-02
Researchers from Symantec’s Threat Hunter Team detected an espionage group using steganography to further their activities. The Witchetty espionage group exploited five ProxyShell and ProxyLogon vulnerabilities to install web shells, then stole access credentials and began moving laterally through compromised networks. The steganographic portion of the attack hides malicious code in a Windows logo graphic. The steganographic bitmap image is deployed with the help of a backdoor Trojan.
Note
- This looks like yet another example where the attacker attached an obfuscated executable to an image (which isn’t steganography in my opinion), and used a common cloud service to deliver the image. Lazy detection systems often ignore content past the initial header and this trick isn’t new but effective. Catchy headline, but nothing really new.
- Steganography is very interesting and capturing the source image is tempting. Use care handling it if you go down that path. This attack is new functionality added to the LookBack back door and the image (the jacked up windows logo) is stored on a GitHub repository. The Symantec blog has IOCs for you to incorporate. The attack is leveraging weaknesses in public facing services, e.g., exchange. The best mitigation is to actively update any public facing services and regularly verify they are running current security configurations.
Read more in
- Group Uses Updated Toolset in Attacks on Governments in Middle East
- Steganography alert: Backdoor spyware stashed in Microsoft logo
- Cyber Attacks Against Middle East Governments Hide Malware in Windows Logo
Updated on 2022-09-30
In an ongoing cyberespionage campaign, the hacking group Witchetty has been found targeting two governments in the Middle East and a stock exchange in Africa. It is believed that Witchetty has close ties with the state-backed Chinese threat actor APT10, aka Cicada, and is also a part of the TA410 operatives. Read more: Hacking group hides backdoor malware inside Windows logo image
Overview
Broadcom’s Symantec team has a report out on Witchetty, a sub-group of the Chinese-linked APT10 cyber-espionage group that has “targeted the governments of two Middle Eastern countries and the stock exchange of an African nation.” According to Symantec, the attacks took place between February and September 2022, and the group heavily relied on the ProxyShell and ProxyLogon vulnerabilities for these intrusions. Read more: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East
