CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers.

Who is Witchetty?

Witchetty was first documented by ESET in April 2022, who concluded that it was one of three sub-groups of TA410, a broad cyber-espionage operation with some links to the Cicada group (aka APT10). Witchetty’s activity was characterized by the use of two pieces of malware, a first-stage backdoor known as X4 and a second-stage payload known as LookBack. ESET reported that the group had targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations.

New tooling

While the group has continued to use the LookBack backdoor, several new pieces of malware appear to have been added to its toolset. One is Backdoor.Stegmap, which leverages steganography to extract its payload from a bitmap image. Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files.

A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.