A cyber-espionage group is targeting the governments of several Middle Eastern countries and has previously attacked an African country's stock exchange, stealing massive amounts of data with malware.
The Symantec Threat Hunter Team named the espionage group "Witchetty" in a report published Thursday, but it has also been known as "LookingFrog."
Witchetty attacks are distinguished by the use of two pieces of malware: X4 and a second-stage payload known as LookBack.
“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.
In recent months, the group has been updating its tools to use steganography, a technique in which hackers hide malicious code within an image. In Witchetty's case, the malware is disguised as a Microsoft Windows logo.
Symantec tracked the group's attacks from February to September, noting that the attackers used ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to obtain access in three incidents.
According to several national cybersecurity agencies, ProxyShell and ProxyLogon are among the most commonly exploited vulnerabilities by threat groups. They stole credentials, moved laterally across the network, and installed malware on other computers from there.
The attackers used the ProxyShell vulnerability to launch an attack on a Middle Eastern government agency on February 27. The hackers moved around the network for several months, exfiltrating data and stealing other information. The hackers' most recent actions occurred on September 1, when they downloaded several remote files.
O'Brien told The Record that they do not have enough information to make an attribution at this time, but that Witchetty was first discovered in April by ESET researchers, who stated it was part of a larger cyber-espionage operation linked to the Chinese state-backed advanced persistent threat (APT) group Cicada or APT10. According to ESET, the group has specifically targeted governments, diplomatic missions, charities, and industrial/manufacturing organisations.
Symantec previously linked the group to a VLC Media Player attack campaign, prompting the Indian government to outright ban the popular programme earlier this year. The group was accused in February of carrying out a months-long attack on Taiwan's financial sector.
APT10, according to the anonymous research group IntrusionTruth, was based in Tianjin, China, and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security. In the summer of 2018, Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG.