{"id":48695,"date":"2022-10-02T12:56:07","date_gmt":"2022-10-02T12:56:07","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/steganography-alert-backdoor-spyware-stashed-in-microsoft-logo\/"},"modified":"2022-10-02T12:56:07","modified_gmt":"2022-10-02T12:56:07","slug":"steganography-alert-backdoor-spyware-stashed-in-microsoft-logo","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/steganography-alert-backdoor-spyware-stashed-in-microsoft-logo\/","title":{"rendered":"Steganography alert: Backdoor spyware stashed in Microsoft logo"},"content":{"rendered":"

Internet snoops have been caught concealing spyware in an old Windows logo in an attack on governments in the Middle East.<\/p>\n

The Witchetty gang used steganography to stash backdoor Windows malware \u2013 dubbed Backdoor.Stegmap \u2013 in the bitmap image.<\/p>\n

“Although rarely used by attackers, if successfully executed, steganography can be leveraged to disguise malicious code in seemingly innocuous-looking image files,” researchers at Symantec’s Threat Hunter Team wrote this week<\/a>. “Disguising the payload in this fashion allowed the attackers to host it on a free, trusted service.”<\/p>\n

\"windows\"<\/a><\/p>\n

Looks harmless, although sysadmins may disagree … The pic used for the payload. Source: Symantec<\/p>\n<\/div>\n

From what we can tell, Witchetty first compromises a network, getting into one or more systems, then downloads this image from, say, a repository on GitHub, unpacks the spyware within it, and runs it.<\/p>\n

Hiding the payload in this way, and placing the file somewhere innocuous online, is a big advantage in evading security software, as “downloads from trusted hosts such as GitHub are far less likely to raise red flags than downloads from an attacker-controlled command-and-control (C&C) server,” the team said.<\/p>\n