It seems that even the iconic Windows logo is no longer safe from malware (opens in a new tab), as some cybercriminals have managed to hide malicious code inside.
Cybersecurity experts at Symantec say they detected one such campaign using a process of hiding malicious code in harmless images, also known as steganography.
This is usually done to avoid detection by antivirus programs, as these solutions rarely detect images as malicious.
looking for governments
In this particular case, the group involved in steganography attacks is called Witchetty, a known threat actor believed to be strongly linked to the Chinese state-sponsored actor Cicada (AKA APT10), and is also considered part of the TA410 organization. that attacked US energy providers in the old days.
The group launched its latest campaign in February 2022, targeting at least two governments in the Middle East.
Also, an attack on an exchange in Africa would still be active. Witchetty used steganography attacks to hide an XOR-encrypted backdoor, which was hosted on a cloud service, minimizing its chances of detection. To place webshells on vulnerable endpoints (opens in a new tab), attackers exploited known vulnerabilities in Microsoft Exchange ProxyShell for initial access: CVE-2021-34473, CVE-2021-34523, CVE-2021-31207, CVE -2021-26855 and CVE -2021-27065.
“Hiding the payload in this way allowed the attackers to host it on a free and trusted service,” Symantec said. "Downloads from trusted hosts like GitHub are much less likely to raise red flags than downloads from an attacker-controlled command and control (C&C) server."
The XOR encrypted backdoor allows threat actors to do a number of things, including manipulating files and folders, running and stopping processes, modifying the Windows registry, downloading malware at additional costs, stealing documents, and transforming the committed terminal on a C2. server. .
The last time we heard about Cicada was in April 2022, when researchers reported that the group misused the popular media player VLC to distribute malware and spy on government agencies and adjacent organizations located in the states, Canada, Hong Kong. , Turkey, Israel. , India, Montenegro and Italy.
Via: BleepingComputer (Opens in a new tab)