Backdoor hidden in Windows logo

backdoor hidden in windows logo.jpeg
backdoor hidden in windows logo.jpeg

A hacker group has used steganography in attacks on governments to download malware via harmless-looking bitmaps.


In their current attacks, a group of cyber spies called the Witchetty Gang are using unusual steganography methods to download malware onto infected systems. This is reported by security experts from Symantec. The hackers had hidden code in an old Windows logo in several attacks.

According to the report, the attacks took place between February and September, targeting the governments of two Middle Eastern countries and the stock exchange of an African country.

In a first step, the attackers targeted various well-known and frequently exploited vulnerabilities (ProxyShell and ProxyLogon) in order to gain unauthorized access to publicly accessible servers. This is how they were able to steal login credentials there. After penetrating the system, malware was reloaded in several steps, report the security experts at Symantec.

Among other things, “Backdoor.Stegmap” was used, which uses steganography to hide the payload of the backdoor in a harmless image; The attackers used the colorful Windows 7 logo as the image. A DLL loader on the infected system loads the image from a GitHub repository and unpacks the malware it contains with an XOR key. This reloaded backdoor was then able, among other things, to copy directories and files on the target system and to start and end processes.

The perfidious thing about the technology: You can publish the payload on a free, trustworthy platform like GitHub, which “triggers a warning signal in the target system much less likely than downloading from a command and control server (C&C) controlled by the attackers. ”

According to the news portal Bleeping Computer, the Witchetty Gang is said to be close to the Chinese hacker group APT10. The group was first described in April 2022 by the Czechoslovak security company ESET, the security experts at Symantec report on their company blog.