article featured image


Security researchers have recently discovered a new malicious campaign by the “Witchetty” hacking group. The threat actors used steganography to hide a backdoor malware in a Windows logo. The group is believed to be heavily tied to the Chinese state-backed threat actor APT10 (“Cicada”).

Witchetty is reportedly operating a new cyberespionage campaign launched in February 2022, that targeted two governments in the Middle East and a stock exchange in Africa so far.

How Does the Malware Operate?

According to BleepingComputer, the threat actor made use of steganography, which is the act of hiding data within other non-secret, public information or computer files to evade detection. Witchetty made use of this technique to hide an XOR-encrypted backdoor malware in an old Windows logo bitmap image.

The malicious file would be hosted on a trusted cloud service instead of the threat actor’s command and control (C2) server, thus minimizing the risk of triggering security alarms. The threat actors would gain initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop webshells on weakened servers.

After fetching the backdoor hiding in the image file, the threat actors could perform the following actions on the infected devices:

  • Perform file and directory actions;
  • Start, enumerate, or kill processes;
  • Modify the Windows Registry;
  • Download additional payloads;
  • Exfiltrate files.

How Witchetty Acts?

Witchetty also launched a unique proxy tool that makes the infected computer connect to a C2 server posing as a client rather than the other way around by acting “as the server and acting as the server”. The group also uses custom tools such as a port scanner or custom persistence utility that adds itself in the registry as “NVIDIA display core component”. In addition to using modded tools, Witchetty abuses “lolbins” on the host, such as CMD, WMIC, and PowerShell, and conventional tools like Mimikatz and to dump credentials from LSASS.

The group remains an active threat to governments and state organizations in Asia, Africa, and all over the globe. Specialists recommend applying security updates as they are released as a prevention method.

If you liked this article, follow us on LinkedIn, Twitter, Facebook, Youtube, and Instagram for more cybersecurity news and topics.

Author Profile

Cristian Neagu


linkedin icon

Cristian is a Content Editor & Creator at Heimdal®, where he developed a deep understanding of the digital threat landscape. His style resonates with both technical and non-technical readers, proof being in his skill of communicating cybersecurity norms effectively, in an easy-to-understand manner.

Leave a Reply

Your email address will not be published. Required fields are marked *