It seems that not even the iconic Windows logo is safe from malware (opens in new tab) anymore, as some cybercriminals managed to efficiently conceal malicious code inside it.
Cybersecurity consultants at Symantec declare to have noticed one such marketing campaign utilizing a strategy of hiding malicious code in in any other case innocent pictures, in any other case generally known as steganography.
It is often finished to keep away from detection by antivirus packages, as such options not often detect pictures as malicious.
Going after governments
In this explicit case, the group engaged in steganography assaults known as Witchetty, a recognized threat-actor allegedly strongly tied to the Chinese state-sponsored actor Cicada (AKA APT10), and likewise thought-about a part of the TA410 group that has focused US vitality suppliers in the previous.
The group kicked off its newest marketing campaign in February 2022, concentrating on at the least two governments in the Middle East.
What’s extra, an assault in opposition to a inventory alternate in Africa is allegedly nonetheless energetic. Witchetty used steganography assaults to cover an XOR-encrypted backdoor, which was hosted on a cloud service, minimizing its possibilities of detection. To drop webshells on weak endpoints (opens in new tab)the attackers exploited recognized Microsoft Exchange ProxyShell vulnerabilities for preliminary entry: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE-2021-26855, and CVE-2021-27065.
“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” Symantec stated. “Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.”
The XOR-encrypted backdoor permits risk actors to do a lot of issues, together with tampering with recordsdata and folders, working and terminating processes, tweaking the Windows Registry, downloading further malware, stealing paperwork, in addition to turning the compromised endpoint right into a C2 server .
Last time we heard of Cicada was in April 2022, when researchers reported the group had abused the well-liked VLC media participant to distribute malware and spy on authorities businesses and adjoining organizations situated in the US, Canada, Hong Kong, Turkey, Israel, India, Montenegro, and Italy.
Via: BleepingComputer (opens in new tab)