Hiding Malware in Windows Logo – Malicious Innovation at Its Best

Cybercriminals can practice their malicious activities through various methods. Some use brute force, some phishing, and others get more innovative. Yes, enhancing their techniques lead to higher success rates, and with this campaign targeting Middle East governments using the Windows logo – it’s innovation at its best.

Threat actors are using a highly sophisticated technique in which they hide malicious code within a picture. This time around, they’re concealing the malware in a bitmap image of an old Microsoft Windows logo.

The campaign apparently belongs to the group Witchetty (AKA LookingFrog) and it’s much bigger than it seems. Well, when a threat actor is in cahoots with a Chinese threat group, the impact is going to be huge. Here’s what we know about this highly innovative attack.

LookingFrog – The Perfect Logo Scam

As we mentioned, cybercriminals have been advancing as time goes by and they’re coming up with new ways to infiltrate their victims’ systems.

Usually, fabricating a fake logo to include in a phishing email, for example, creates some sort of legitimacy, which tricks the user into falling for the scam.

However, using the real thing to embed malware, well, that’s a whole new level of innovation. The technique goes by the name of steganography – a mechanism that embeds a message in a non-secret document.

Through a bitmap image, malicious code can be extracted, which is what’s being used with an old Microsoft Windows logo hosted on a GitHub repository in this campaign.

According to Broadcom’s Symantec Threat Hunter Team, the updated tooling is attributed to Witchetty, which as we mentioned, is another name for LookingFrog, a subgroup operating under the TA410 umbrella. The team added the following statement on how the process goes down:

“Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service,” the researchers.

Downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server.”

Earlier this year, particularly between February and September, the group targeted the governments of two Middle Eastern countries.

However, the attacks did not stop there. In fact, LookingFrog targeted the stock exchange of an African nation as well. These practices showed the security team that the threat actors are using another backdoor – Stegmap.

Unfortunately, while backdoors vary, their functionalities are almost the same. With Stegmap, the attackers are able to carry out file manipulation operations, terminate processes, make Windows Registry modifications, as well as download and run executables.

Witchetty – The Frog Maliciously Hops Around

Crafting malware infiltration in such ways shows how evolved threat actors have become. You can now be targeted by simply downloading an image.

Cybercriminals don’t differentiate between victims. While governments seem to be huge targets, you, as an individual can be on their list. All you have to do is take the proper precautions in order to protect your private information. Don’t trust sources blindly – stay vigilant.