Initial access into a target's network is gained by exploiting the ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) vulnerabilities in Microsoft Exchange and installed malicious scripts on public-facing web servers. The Symantec researchers wrote that Witchetty launched an espionage campaign against two Middle Eastern governments and a stock exchange in Africa using Stegmap. Check out this Android spyware, says Microsoft, the home of a gazillion Windows flaws.Significant customer data exposed in attack on Australian telco.Noberus ransomware gets info-stealing upgrades, targets Veeam backup software.Hacked Fast Company sends 'obscene and racist' alerts via Apple News.The payload opens a backdoor to the outside world and can execute a range of commands issued to it by its masters, from copying, moving, or deleting files to removing a directory, starting a new process, or killing an existing one, and creating or deleting a Windows registry key. The payload is hiding in the bitmap file and is decrypted with an XOR operation and key. To bring Stegmap into a network, a DLL loader is run that downloads the bitmap file of the Windows logo from a GitHub repository. Witchetty continues to use LookBack, but has added Stegmap and other malware to its arsenal. Malware upgrades make for a more canny foe The group has been known to use a first-stage backdoor known as X4 and a second-stage payload called LookBack, which ESET said targets governments, diplomatic missions, charities, and industrial and manufacturing organizations.
The use of Stegmap is part of a larger update of Witchetty's toolset, the Symantec researchers wrote.
0 kommentar(er)
