An emerging cyber-espionage threat group has been hitting targets in the Middle East and Africa with a novel backdoor dubbed "Stegmap," which uses the rarely seen steganography technique to hide malicious code in a hosted image.

Recent attacks show the group — called Witchetty, aka LookingFrog — fortifying its tool set, adding sophisticated evasion tactics, and exploiting known Microsoft Exchange vulnerabilities ProxyShell and ProxyLogon. Researchers from Symantec Threat Hunter observed the group installing webshells on public-facing servers, stealing credentials, and then spreading laterally across networks to propagate malware, they revealed in a blog post published Sept. 29.

In attacks between February and September, Witchetty targeted the governments of two Middle Eastern countries and the stock exchange of an African nation in attacks that used the aforementioned vector, they said.

ProxyShell is comprised of three known and patched flaws — CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 — while ProxyLogon is comprised of two, CVE-2021-26855 and CVE-2021-27065. Both have been exploited widely by threat actors since they were first revealed in August 2021 and December 2020, respectively — attacks that persist as many Exchange Servers remain unpatched.

Witchetty's recent activity also shows that the group has added a new backdoor to its arsenal, called Stegmap, which employs steganography — a stealthy technique that stashes the payload in an image to avoid detection.

How the Stegmap Backdoor Works

In its recent attacks, Witchetty continued to use its existing tools, but also added Stegmap to flesh out its arsenal, the researchers said. The backdoor uses steganography to extract its payload from a bitmap image, leveraging the technique "to disguise malicious code in seemingly innocuous-looking image files," they said.

The tool uses a DLL loader to download a bitmap file that appears to be an old Microsoft Windows logo from a GitHub repository. "However, the payload is hidden within the file and is decrypted with an XOR key," the researchers said in their post.

By disguising the payload in this way, attackers can host it on a free, trusted service that is far less likely to raise a red flag than an attacker-controlled command-and-control (C2) server, they noted.

The backdoor, once downloaded, goes on to do typical backdoor things, such as removing directories; copying, moving, and deleting files; starting new processes or killing existing ones; reading, creating, or deleting registry keys, or setting key values; and stealing local files.

In addition to Stegmap, Witchetty also added three other custom tools — a proxy utility for connecting to command-and-control (C2), a port scanner, and a persistence utility — to its quiver, the researchers said.

Evolving Threat Group

Witchetty first caught the attention of researchers at ESET in April. They identified the group as one of three subgroups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10) that typically targets US-based utilities as well as diplomatic organizations in the Middle East and Africa, the researchers said. The other subgroups of TA410, as tracked by ESET, are FlowingFrog and JollyFrog.

In initial activity, Witchetty used two pieces of malware — a first-stage backdoor known as X4 and a second-stage payload known as LookBack — to target governments, diplomatic missions, charities, and industrial/manufacturing organizations.

Overall, the recent attacks show the group emerging as a formidable and savvy threat that combines a knowledge of enterprise weak spots with its own custom tool development to take out "targets of interest," the Symantec researchers noted.

"Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organization," they wrote in the post.

Specific Attack Details Against Government Agency

Specific details of an attack on a government agency in the Middle East reveal Witchetty maintaining persistence over the course of seven months and dipping in and out of the victim's environment to perform malicious activity at will.

The attack started on Feb. 27, when the group exploited the ProxyShell vulnerability to dump the memory of the Local Security Authority Subsystem Service (LSASS) process — which in Windows is responsible for enforcing the security policy on the system — and then continued from there.

Over the course of the next six months the group continued to dump processes; moved laterally across the network; exploited both ProxyShell and ProxyLogon to install webshells; installed the LookBack backdoor; executed a PowerShell script that could output the last login accounts on a particular server; and attempted to execute malicious code from C2 servers.

The last activity of the attack that researchers observed occurred on Sept. 1, when Witchetty downloaded remote files; decompressed a zip file with a deployment tool; and executed remote PowerShell scripts as well as its custom proxy tool to contact its C2 servers, they said.