Symantec details Witchetty’s expanded toolset, including Backdoor.Stegmap and the LookBack backdoor, which use steganography and a GitHub-hosted bitmap loader to hide and deliver payloads. The operation is tied to TA410 and Cicada/APT10, with past and present activity targeting governments and related sectors by exploiting vulnerabilities to install web shells, pivot laterally, and steal credentials. #Witchetty #LookBack #BackdoorStegmap #TA410 #APT10 #Cicada
Keypoints
- Witchetty is described as one of TA410’s sub-groups with ties to Cicada (APT10).
- The group has targeted governments, diplomatic missions, charities, and industrial/manufacturing sectors.
- New tooling includes Backdoor.Stegmap, which uses steganography to extract the payload from a bitmap image.
- A DLL loader fetches a bitmap from GitHub; the payload is hidden in the file and decrypted with an XOR key.
- LookBack remains a central backdoor, with numerous related IOCs and new related tools in the toolkit.
- Indicators of Compromise span hashes, web shells, custom tools, credential theft, and C2 addresses/domains.
MITRE Techniques
- [T1190] Exploit Public-Facing Application – CVE-2021-34473, CVE-2021-34523, CVE-2021-31207 and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.
- [T1105] Ingress Tool Transfer – A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.
- [T1027] Obfuscated/Compressed Files and Information – The payload is hidden and decrypted with an XOR key.
- [T1505.003] Web Shell – Web shells are used to maintain access once the initial foothold is established.
- [T1003.001] LSASS Credential Dumping – LookBack backdoor’s capability to steal credentials from LSASS.
- [T1056.001] Keylogging – LookBack backdoor includes a keylogger capability.
- [T1059] Command and Scripting Interpreter – Batch script and script-based components are observed in the toolset.
Indicators of Compromise
- [Hash] LookBack backdoor – 619b64c6728f9ec27bba7912528a4101a9c835a547db6596fa095b3fe628e128, e597aae95dcaccc5677f78d38cd455fa06b74d271fef44bd514e7413772b5dcb (LookBack backdoor)
- [Hash] LookBack backdoor – ce3293002a9681736a049301ca5ed6d696d0d46257576929efbb638545ecb78e (LookBack backdoor)
- [Hash] LookBack backdoor – 73bf59c7f6a28c092a21bf1256db04919084aca5924bbd74277f8bda6191b584 (LookBack backdoor)
- [Hash] LookBack backdoor – acc52983d5f6b86bec6a81bc3fbe5c195b469def733f7677d681f0e405a1049b (LookBack backdoor)
- [Hash] LookBack backdoor – f91e44ff423908b6acf8878dced05dc7188ddab39d1040e0d736f96f0a43518d (LookBack backdoor)
- [Hash] LookBack backdoor – e7fcc98005cff9f406a5806222612c20dae3e47c469ff6028310847a599d1a38 (LookBack backdoor)
- [Hash] Possible LookBack dropper – 104873d692af36173cb39f8b46f2080c8ce1a1a52d60c69e1034e2033ba95f7a
- [Hash] Backdoor.Stegmap – 3b715112ac93e4cd5eaa7760b5670760fd25d0fec68f6a493624fa23c1c6e042
- [Domain/IP] LookBack C&C server – 5.252.176[.]3
- [Domain] LookBack C&C server – a.bigbluedc[.]com
- [IP] Remote IP (Malware) – 185.225.19[.]55
- [IP] Remote IP (Malware) – 153.92.1[.]125
- [IP] Remote IP (Malware) – 194.180.174[.]254
- [File] 7-Zip file – 0b29be26d5caae7cf46eaf9345eea7d9fd7e808b3334e2a2043232d450a648ee
- [File] 7-Zip file – e27a24e4e99e623566d8a43eb7e562d27c28a7c746d533d36f56312e9a317c2b
- [Malware] China Chopper – 681c22f79e5ec794858172378ed0285ef4da87f4f2dc8545bf304ce1f936529c
- [Malware] China Chopper – baa5c96ec2c51b601a6808428dbe0dc5e274e2ac65c38c465c5a74a2deb962c6