Chinese cyberespionage group Witchetty has been observed updating its toolset in recent attacks targeting entities in the Middle East and Africa, Symantec reports.
Also referred to as LookingFrog, Witchetty is believed to be part of Cicada, the Chinese advanced persistent threat (APT) actor also known as APT10 and Stone Panda.
Initially focused on Japanese targets, earlier this year Cicada was seen expanding its target list to include entities in multiple countries worldwide, including Europe, Asia, and North America.
As part of the recently observed Witchetty activity, Symatec identified as targets the governments of two countries in the Middle East, as well as the stock exchange in a country in Africa.
For initial compromise, the hacking group is believed to have targeted the ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange Server to install web shells. Next, they proceeded with credential theft, lateral movement, and malware deployment.
Traditionally, Witchetty has been observed targeting government entities, diplomatic missions, charities, and manufacturers with two backdoors, namely the first-stage X4 and the second-stage LookBack.
Starting April 2022, the cyberspies were seen adding new malware to their arsenal, including the Stegmap backdoor, which relies on steganography to extract a payload from a bitmap image.
The infection chain involves the use of a DLL loader to fetch from GitHub a bitmap file that appears to be a Microsoft Windows logo, but which contains malicious code hidden inside.
“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server,” Symantec notes.
The Stegmap backdoor supports commands to create/remove directories, manipulate files, launch/terminate a process, download and run executables, steal files, enumerate and kill processes, and read, create, and delete registry keys.
As part of the observed attacks, the hackers also employed a set of custom tools, including a proxy utility (uses a protocol similar to SOCKS5 but acts like a server), a port scanner, and a persistence utility (adds itself to autostart, as an Nvidia registry key).
According to Symantec, the attackers started their malicious activity on the network of one of the compromised Middle Eastern governments in late February 2022, and continued to actively connect to the environment until September 1.
During this timeframe, the hackers made multiple attempts to obtain credentials through memory dumps, performed network enumeration, deployed backdoors and web shells, executed various commands, installed the aforementioned custom tools, and moved laterally.
“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest. Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations,” Symantec concludes.
Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability
Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware
Related: U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool
