Skip to Content

Cicada aka APT10 deployed new LODEINFO malware variant

Updated on 2022-11-02

Kaspersky published two reports on Monday on LODEINFO, a backdoor part of the arsenal of the APT10 Chinese cyber-espionage group. Read more: APT10: Tracking down LODEINFO 2022, part II

Updated on 2022-11-01

The Chinese hacking group Cicada, aka APT10, was found abusing antivirus software to deploy a new variant of the LODEINFO malware against Japanese organizations. Read more: APT10: Tracking down LODEINFO 2022, part I

Updated on 2022-10-02

Researchers from Symantec’s Threat Hunter Team detected an espionage group using steganography to further their activities. The Witchetty espionage group exploited five ProxyShell and ProxyLogon vulnerabilities to install web shells, then stole access credentials and began moving laterally through compromised networks. The steganographic portion of the attack hides malicious code in a Windows logo graphic. The steganographic bitmap image is deployed with the help of a backdoor Trojan.

Note

  • This looks like yet another example where the attacker attached an obfuscated executable to an image (which isn’t steganography in my opinion), and used a common cloud service to deliver the image. Lazy detection systems often ignore content past the initial header and this trick isn’t new but effective. Catchy headline, but nothing really new.
  • Steganography is very interesting and capturing the source image is tempting. Use care handling it if you go down that path. This attack is new functionality added to the LookBack back door and the image (the jacked up windows logo) is stored on a GitHub repository. The Symantec blog has IOCs for you to incorporate. The attack is leveraging weaknesses in public facing services, e.g., exchange. The best mitigation is to actively update any public facing services and regularly verify they are running current security configurations.

Read more in

Updated on 2022-09-30

In an ongoing cyberespionage campaign, the hacking group Witchetty has been found targeting two governments in the Middle East and a stock exchange in Africa. It is believed that Witchetty has close ties with the state-backed Chinese threat actor APT10, aka Cicada, and is also a part of the TA410 operatives. Read more: Hacking group hides backdoor malware inside Windows logo image

Overview

Broadcom’s Symantec team has a report out on Witchetty, a sub-group of the Chinese-linked APT10 cyber-espionage group that has “targeted the governments of two Middle Eastern countries and the stock exchange of an African nation.” According to Symantec, the attacks took place between February and September 2022, and the group heavily relied on the ProxyShell and ProxyLogon vulnerabilities for these intrusions. Read more: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.