Symantec reports that the threat group is operating a new cyberespionage campaign launched in February 2022 that targeted two governments in the Middle East and a stock exchange in Africa.

The hackers refreshed their toolkit to target different vulnerabilities and used steganography to hide their malicious payload from antivirus software.

For those who came in late steganography is the act of hiding data within other non-secret, public information or computer files, such as an image, to evade detection. Symantec found Witchetty is using steganography to hide an XOR-encrypted backdoor malware in an old Windows logo bitmap image.

The file is hosted on a trusted cloud service instead of the threat actor's command and control (C2) server, so the chances of raising security alarms while fetching it are minimised.

The attack begins with the threat actors gaining initial access to a network by exploiting the Microsoft Exchange ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE-2021-27065) attack chains to drop webshells on vulnerable servers.

Witchetty uses standard utilities like Mimikatzand to dump credentials from LSASS and abuses "lolbins" on the host, like CMD, WMIC, and PowerShell.

The hackers rely on exploiting last year's vulnerabilities to breach the target network, taking advantage of the poor administration of publicly exposed servers so if you want to fight it off upgrade your system.