The attack on a Middle Eastern government agency started on February 27 after the attackers exploited the ProxyShell vulnerability. Several national cybersecurity agencies have said ProxyShell and ProxyLogon are considered some of the most popular vulnerabilities exploited by threat groups.įrom there, they stole credentials, moved laterally across the network and installed malware on other computers. Symantec tracked attacks by the group from February to September, noting that in the three incidents they saw, the attackers exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE- 2021-27065) vulnerabilities to gain access. In Witchetty’s case, they hide the malware in a Microsoft Windows logo.
#Use of steganography in cyber espionage code
The group has been updating its tools in recent months to employ steganography – a practice where hackers hide malicious code within an image. “From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team. In a report published Thursday, the Symantec Threat Hunter Team named the espionage group “Witchetty” but said it has also been known as “LookingFrog.”Īttacks by Witchetty are identified by the use of two pieces of malware: one known as X4 and a second-stage payload known as LookBack. ‘Witchetty’ group targeted Middle Eastern gov'ts, stock exchange of African nationĪ cyber espionage group is targeting the governments of several Middle Eastern nations and has previously attacked the stock exchange of an African country, using malware to steal troves of data.
0 kommentar(er)
