Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Chinese Cyberespionage Group ‘Witchetty’ Updates Toolset in Recent Attacks

Chinese cyberespionage group Witchetty has been observed updating its toolset in recent attacks targeting entities in the Middle East and Africa, Symantec reports.

Also referred to as LookingFrog, Witchetty is believed to be part of Cicada, the Chinese advanced persistent threat (APT) actor also known as APT10 and Stone Panda.

Chinese cyberespionage group Witchetty has been observed updating its toolset in recent attacks targeting entities in the Middle East and Africa, Symantec reports.

Also referred to as LookingFrog, Witchetty is believed to be part of Cicada, the Chinese advanced persistent threat (APT) actor also known as APT10 and Stone Panda.

Initially focused on Japanese targets, earlier this year Cicada was seen expanding its target list to include entities in multiple countries worldwide, including Europe, Asia, and North America.

As part of the recently observed Witchetty activity, Symatec identified as targets the governments of two countries in the Middle East, as well as the stock exchange in a country in Africa.

For initial compromise, the hacking group is believed to have targeted the ProxyShell and ProxyLogon vulnerabilities in Microsoft Exchange Server to install web shells. Next, they proceeded with credential theft, lateral movement, and malware deployment.

Traditionally, Witchetty has been observed targeting government entities, diplomatic missions, charities, and manufacturers with two backdoors, namely the first-stage X4 and the second-stage LookBack.

Starting April 2022, the cyberspies were seen adding new malware to their arsenal, including the Stegmap backdoor, which relies on steganography to extract a payload from a bitmap image.

The infection chain involves the use of a DLL loader to fetch from GitHub a bitmap file that appears to be a Microsoft Windows logo, but which contains malicious code hidden inside.

Advertisement. Scroll to continue reading.

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service. Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server,” Symantec notes.

The Stegmap backdoor supports commands to create/remove directories, manipulate files, launch/terminate a process, download and run executables, steal files, enumerate and kill processes, and read, create, and delete registry keys.

As part of the observed attacks, the hackers also employed a set of custom tools, including a proxy utility (uses a protocol similar to SOCKS5 but acts like a server), a port scanner, and a persistence utility (adds itself to autostart, as an Nvidia registry key).

According to Symantec, the attackers started their malicious activity on the network of one of the compromised Middle Eastern governments in late February 2022, and continued to actively connect to the environment until September 1.

During this timeframe, the hackers made multiple attempts to obtain credentials through memory dumps, performed network enumeration, deployed backdoors and web shells, executed various commands, installed the aforementioned custom tools, and moved laterally.

“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest. Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long-term, persistent presence in targeted organizations,” Symantec concludes.

Related: Chinese Threat Actors Exploiting ‘Follina’ Vulnerability

Related: Chinese Cyberspies Seen Using macOS Variant of ‘Gimmick’ Malware

Related: U.S. State Governments Targeted by Chinese Hackers via Zero-Day in Agriculture Tool

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Karl Triebes has joined Ivanti as Chief Product Officer.

Steven Hernandez has joined USAID as CISO and Deputy CIO.

Data security and privacy firm Protegrity has named Michael Howard as its CEO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.