Symantec - Campagne logo Windows malveillant

a backdoor hidden in a Windows logo

A malicious campaign initiated by cybercriminal group Witchetty relies on steganography to hide a backdoor in an image of the Windows logo.

The company Symantec has posted a new report which evokes a malicious campaign initiated in February 2022 by hackers from the Witchetty group (also nicknamed LookingFrod), the latter being suspected of having close links with the Chinese group APT10. In this campaign, cybercriminals target different vulnerabilities and they rely on steganography to spread the malicious strain without being detected by antivirus. Thanks to this technique, the malware is embedded in an image file which, at first glance, seems harmless and in this case it isa Windows logo in Bitmap format.

Windows logo with a backdoor
Windows logo with backscope – Source: Symantec

According to Symantec, the Windows logo is displayed correctly, but it contains a backdoor encrypted with the XOR method. Proof that this technique is difficult to detect, the image file is hosted on GitHub, rather than the hacker infrastructure.By disguising the payload this way, the attackers were able to host it on a free and reliable service. Downloads from trusted hosts such as GitHub are much less likely to trigger alerts than downloads from an attacker-driven command and control (C&C) server.“Says Symantec.

ProxyLogon and ProxyShell as entry point

However, this image is not used as an initial infection vector since hackers first seek to exploit well-known vulnerabilities affecting Exchange servers. No, I am not referring to the two zero-day flaws that have just been revealed, but rather to the ProxyLogon and ProxyShell vulnerabilities. Besides, other malicious sources such as ransomware also appreciate these vulnerabilities to compromise infrastructures.

Once the infrastructure is compromised, cybercriminals set up the backdoor that hides in the Windows logo. Thanks to it, they are able to perform various actions: manage files and folders; start, list and kill processes; edit the Windows Registry; exfiltrate data or download malicious payloads and additional tools (Mimikatzand, for example).

Source

Sécurité,Exchange,

#backdoor #hidden #Windows #logo

Leave a Comment

Your email address will not be published. Required fields are marked *