Brand Image Coded with Virus
Researchers trained in cyber security breach prevention have uncovered a malicious campaign launched against Microsoft users. The latest hack has been linked to the hacking collective “Witchetty”. These criminal hackers are known for their exploits that employ the use of steganography. Accordingly, these dark web hackers are prolific at cloaking their malware backdoor software in the Windows logo.
The Witchetty hackers, so far, has caused a lot of destruction to online brands. They are associated with one of the most dangerous hacking group on the dark web, known as the Chinese APT10 hackers aka “Cicada”. They are also known as TA410 IT personnel, who have performed coordinated cyber espionage on the United States energy sector.
The Symantec security team tracking this group of threat actors stated that a top notched campaign launched in February 2022 is still wreaking havoc on its targets. They have been traced to the ongoing cyber espionage campaigns that predominantly target a stock market on the African continent, as well as the government in two Middle Eastern countries.
Now, the Windows logo is locked in their cross hairs, as it becomes the latest target of the dangerous hackers. The cyber security team revealed that it is being used against Microsoft customers, who utilize the tech giant’s services. By utilizing the Windows logo, the threat actors updated hacking tools have been infiltrating a few unplugged vulnerabilities, with the use of steganography. This strategy acts as a barrier between antivirus software and the hackers’ harmful payload, in that, it prevents detection.
Steganography involves the concealment of data in a publicly used image. In addition, one of its main capabilities helps dangerous malware avoid detection in computer files. This works when an unethical hacker creates an image file injected with malicious code, which displays and functions perfectly on, even a breached computer.
Witchetty hackers, according to Symantec, are the main threat actors utilizing steganography in their fraudulent infiltration campaigns. They are renowned for utilizing the outdated Windows logo, which they’ve deceptively coded with an XOR-encrypted backdoor virus.
Symantec security firm also notes that by the threat actors disguising the payload this way, the malware is hosted and distributed through a free, and very trustworthy service.
And with the Microsoft logo used to conceal the malicious payload, Symantec revealed that a reputable brand would unlikely trigger any security alert. And neither would it raise any suspicion since it is being presented through one of the Internet’s most popular brands.
Additionally, if GitHub is used for the downloads, since its one of the reputable servers; it is less likely to raise an alarm. However, it would be a different scenario with downloads from command-and-control (C&C) servers, which are usually controlled by the hacking group.
Microsoft Files Access Points
Zero-day vulnerabilities are often used by hackers to launch their attacks through the Microsoft Exchange Server. The ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) files are the current access points used for launching this latest cyber attack.
Through these files, harmful web shells can be released on susceptible servers. Once an unsuspecting victim downloads the infected logo or image, the hackers enter the network database and steal private data.
A backdoor concealed in a picture file allows criminals to:
Perform directory and file operations.
Start, list, or terminate processes.
Windows Registry changes.
Download more payloads.
Perform file exfiltration.