CyberWire Daily - New tools target governments in Middle East? [Research Saturday]
Episode Date: October 22, 2022Dick O'Brien from Symantec's Threat Hunter team sits down with Dave to discuss their work on "Witchetty - Group Uses Updated Toolset in Attacks on Governments in Middle East." Their research has found... that the group known as Witchetty aka LookingFrog, has been progressively updating its toolset, including the new tool, backdoor Trojan (Backdoor.Stegmap) to launch malware attacks on targets in the Middle East and Africa. The research states "The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers. The researchers describe more on the new tool being used and why this new group is a threat. The research can be found here: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts,
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves
in a rapidly evolving cyberspace.
Thanks for joining us.
So, Wichita is our name for a group that was only fairly recently defined or outlined.
That's Dick O'Brien. He's a principal editor at Symantec.
The research we're discussing today is titled,
Wichiti, Group Uses Updated Toolset in Attacks attacks on governments in Middle East.
There was a bit of research put out by our peers in ESET back in April of this year,
and they were looking at a kind of broad espionage operation that's known as TA410.
And their conclusion was that it was actually three distinct different actors.
They called them Looking Frog, Flowing Frog, and Jolly Frog.
And Witchly is our name for one of those actors, which is Looking Frog. This kind of, I guess, reassessment of groups is not that unusual.
It frequently happens with espionage groups from that part of the world.
It's quite murky trying to get a picture of who is a distinct threat group.
You'll see an awful lot of shared use of tools and infrastructure.
So it can be often very difficult to decide where one group starts and another group ends, so to speak.
And I think that's probably because I guess there's a different kind of culture of espionage operations there.
I think this seems to be they use a lot more contractors
and people move around a lot and sometimes kind of seem to work
for more than one operation.
So, yeah, it's pretty murky.
So, anyway, Wichita was identified as a distinct actor um
back in april of this year and their calling card uh is really two pieces of malware a first stage
backdoor known as x4 and then a second stage payload um known as um look back so he said
they they said um this group targets governments and diplomatic missions
and charities and some industrial companies. And that's largely in line than what we saw,
what we have seen. We've seen kind of more recent activity of this, and they seem to be continuing
to use much the same tool set, although we have some new discoveries, but also kind of the profile of victims is quite similar as well.
Well, let's go through some of the new things that you all have discovered here.
I mean, there's an interesting piece that uses steganography, yes?
Yeah, yeah. I mean, we discovered a couple of new tools that they're using.
I guess the most interesting one is a backdoor that we haven't
been seeing before. We call it Stegma. I guess it's a rarely seen technique, steganography.
So that's what makes it so interesting. So I guess a lot of listeners may have heard of
steganography, but for those who haven't, it's a technique that involves hiding something or a message within an image.
And I think it first came into the news nearly 20 years ago
when there were some reports that Al-Qaeda was using it.
They were hiding messages and images and sharing them on public forums,
and it was kind of a covert way of communicating for them.
But in this case, anyway, the thing that was hidden in the image
was the code for this backdoor.
So how it works was that a quite innocuous-looking image file,
it was a bitmap image of, I think it's an old Windows logo,
I think it's like from 98 or 2000 or something like that.
And it was hosted on GitHub.
So what happened was that there was a loader for this tool,
and it would download the bitmap image from GitHub,
and then it would decrypt the payload from the image.
It was encrypted with an ExaWorkie and then loaded up.
So that's how it worked.
Now, the functionality of the malware,
it's your pretty standard backdoor.
The technique is unusual,
but the functionality is quite...
It's what you'd see.
They can copy files, delete files,
start up new processes, kill processes, things like that.
Yeah, I have to say that the use of the Windows logo
strikes me as being somewhat clever in that
it's the type of thing that if you were to examine it,
I think it'd be easy to say, well, there's nothing unusual about that.
It seems like the kind of thing that in a routine could be downloaded
as part of something else.
It's such a ubiquitous image that it really draws attention to itself.
Yeah, and I think you're kind of touching on why they used this technique.
Because there's lots of ways of obfuscating your malware
or hiding the code.
What this allows them to do is host the payload
on a public service like GitHub.
So if somebody uploads a Bitmap image to GitHub,
it doesn't raise any suspicions,
but a heavily obfuscated executable or whatever, that might.
So they can put it on GitHub, but then, you know,
if a computer is then calling something from GitHub,
that is less likely to raise red flags than if they're downloading a file
from some hitherto unseen address, you know.
So I think that's the main reason they use it.
Less to kind of, for the, you know,
the code obfuscation and more for their ability
to kind of host something in plain sight
and not raise any red flags in terms of downloading it.
Thank you. an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024,
these traditional security tools expand your attack surface with public-facing IPs that are exploited by bad actors
more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers
by hiding your attack surface, making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network, continuously verifying every request based on identity and context,
simplifying security management with AI-powered automation, and detecting threats using AI to analyze over
500 billion daily transactions. Hackers can't attack what they can't see. Protect your
organization with Zscaler Zero Trust and AI. Learn more at zscaler.com security.
Well, one of the things that you all outlined here is the attack chain for Wichiti.
Can you kind of give us highlights here
and take us through exactly how it works?
Yeah, we gave a fairly detailed attack chain.
Now, if anybody's interested in it, they can look at the blog
because there's a lot of commands in it.
But it just shows how this group operates and how their attack unfolds.
So it's one of the attacks that we saw,
and it's the one where we kind of uncovered the most detail,
and that's why we used it.
All of the attacks we saw,
they either exploit Proxy Shell or Proxy Logon,
which are vulnerabilities in Microsoft Exchange Server.
This is very much the infection vector du jour
at the moment for a lot of threat actors.
They like these vulnerabilities
because Exchange is usually a public facing server,
so they can try and scan for vulnerable servers
where people haven't patched them and hit them up.
That provided the foothold.
And then, I'm not going to go through each single step,
but you will see if you read the blog where they go for there.
Once they get onto a server, you see
them trying to get credentials using various credential-jumping techniques. Then they establish
a persistent mechanism. And then after a little while, it takes them, you know, they're not
in any hurry, actually, they start moving across the network and you see them popping up on other machines.
Presumably, all of those credentials that they harvested
in their attack on the ignition machine
kind of gave them some pathway onto other machines.
So the attack began, I think, let me see,
was in February of this year.
And they managed to stay on that network until the beginning of August.
So that is quite a long period of time.
And you would anticipate that they managed to
exfiltrate some good information in that time period.
To what degree do you think that they're being stealthy here?
And to what degree was perhaps the victim not as attentive as they should have been?
I think it's a bit of each, to be honest, Dave.
The fact that they're able to exploit known vulnerabilities in order to get onto a network always does point to something, a network that
isn't completely locked down, if you know what I mean. But, you know, having said that, they're a
competent actor. They do rely a lot on living off the land techniques. They know their power shell
and things like that, you know, so there isn't like, that. So there is malware involved,
but that's only a very small subset
of the malicious activity that we've seen.
What are your recommendations then
in terms of folks protecting themselves against this?
The recommendations that apply to, I guess,
all targeted or espionage attacks tend to apply to this.
They start with the infection vector.
And as I mentioned earlier, exploitation vulnerabilities
on public-facing servers is huge at the moment.
And if you want to prioritize your patching,
actually CISA published a good list of,
they call it their known exploitation vulnerabilities catalog.
So if you want to prioritize which system needs to be up to date and make sure it is,
you can check out that because it's only vulnerabilities that are being actively
exploited at the moment that are listed on it. And then the second thing is just consider
And then the second thing is just consider how these attacks unfold.
Credential theft is one of the essential steps that are involved,
and you should try and make that as difficult as possible for attackers. So you regularly refresh your admin credentials,
you implement two-factor authentication across the board.
Just make it so the case that if somebody can dump a plain text username and password,
you know, that isn't going to be enough for them to log on to another computer.
And then, of course, you know, you should always use a multi-layered security solution.
You know, that includes email security, endpoint, EDR, things like that. I think that's
the quick sum up anyway. Yeah, I mean, it's
the standard stuff, right? There's nothing terribly exotic on that list, but it's
all necessary. And yet, here we are talking
about them, right? Yeah, yeah.
I mean,
like some organizations may be better resourced than others
or awareness might not be as high.
But, you know,
we'll try and keep getting the message out.
Our thanks to Dick O'Brien from Symantec's Threat Hunter team for joining us. The research is titled,
Wichiti Group Uses Updated Toolset in Attacks on Governments in Middle East.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk. Thank you. Learn more at blackcloak.io. Thanks for listening. We'll see you back here next week.