Steganography used in campaigns targeting the Middle East and Africa

At a glance.

  • Steganography used in campaigns targeting the Middle East and Africa.
  • Supply chain attack, possibly from Chinese intelligence services.
  • Ransomware as a cover for espionage.
  • New Lazarus activity: bring-your-own-vulnerable-driver.

Steganography used in campaigns targeting the Middle East and Africa.

Symantec says the Witchetty cyberespionage actor has been using the ProxyShell and ProxyLogon vulnerabilities to target “the governments of two Middle Eastern countries and the stock exchange of an African nation.” Witchetty (also known as LookingFrog) has some tenuous links to the China-based APT10, although Symantec doesn’t make any formal attribution.

The researchers explain that one of the threat actor’s new tools “leverages steganography to extract its payload from a bitmap image. Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files. A DLL loader downloads a bitmap file from a GitHub repository. The file appears to be simply an old Microsoft Windows logo. However, the payload is hidden within the file and is decrypted with an XOR key.”

Supply chain attack, possibly from Chinese intelligence services.

CrowdStrike warns that a suspected Chinese threat actor carried out a supply-chain attack by compromising a popular commercial chat product distributed by Vancouver-based customer service firm Comm100:

“Malware is delivered via a signed Comm100 installer that was downloadable from the company’s website. The installer was signed on September 26, 2022 at 14:54:00 UTC using a valid Comm100 Network Corporation certificate. CrowdStrike Intelligence can confirm that the Microsoft Windows 7+ desktop agent hosted at https[:]//dash11.comm100[.]io/livechat/electron/10000/Comm100LiveChat-Setup-win.exe that was available until the morning of September 29 was a trojanized installer. Comm100 has since released an updated installer (10.0.9).”

It’s not yet clear how many entities downloaded the malicious installer, but Reuters says “A person familiar with the matter cited a dozen known victims, although the actual figure could be much higher.” CrowdStrike adds that the “trojanized file was identified at organizations in the industrial, healthcare, technology, manufacturing, insurance and telecommunications sectors in North America and Europe.” The Record notes that Comm100 says it has “more than 15,000 customers across 51 countries.”

Ransomware as a cover for espionage.

Researchers at Sygnia have tied the Cheerscrypt and Night Sky ransomware actors to a single Chinese threat actor dubbed “Emperor Dragonfly,” (also tracked as BRONZE STARLIGHT by Secureworks and DEV-0401 by Microsoft). BleepingComputer notes that Secureworks suspects that the threat actor uses dual-extortion ransomware attacks as a cover for state-sponsored cyberespionage operations.

Sygnia’s researchers explain, “Unlike other ransomware groups, Emperor Dragonfly does not operate in an affiliate model and refrain from purchasing initial access from other threat actors. Instead, they manage all stages of the attack lifecycle on their own. The group often rebrand their ransomware payloads, which helps them stay under the radar and avoid sanctions – as they have the appearance of being several, smaller ransomware groups.”

New Lazarus activity: bring-your-own-vulnerable-driver.

Researchers at ESET say that North Korea’s Lazarus Group used Amazon-themed spearphishing documents to target “an employee of an aerospace company in the Netherlands, and a political journalist in Belgium.” The goal of the campaign, which occurred last autumn, was data theft. The researchers note that the attackers exploited a vulnerability in Dell DBUtil drivers, which was patched in May 2021:

“The most notable tool delivered by the attackers was a user-mode module that gained the ability to read and write kernel memory due to the CVE-2021-21551 vulnerability in a legitimate Dell driver. This is the first ever recorded abuse of this vulnerability in the wild. The attackers then used their kernel memory write access to disable seven mechanisms the Windows operating system offers to monitor its actions, like registry, file system, process creation, event tracing etc., basically blinding security solutions in a very generic and robust way.”

BleepingComputer explains that the threat actor utilized a “Bring Your Own Vulnerable Driver” technique:

“A Bring Your Own Vulnerable Driver (BYOVD) attack is when threat actors load legitimate, signed drivers in Windows that also contain known vulnerabilities. As the kernel drivers are signed, Windows will allow the driver to be installed in the operating system. However, the threat actors can now exploit the driver’s vulnerabilities to launch commands with kernel-level privileges.”


Leave a Reply

Your email address will not be published. Required fields are marked *