‘Witchetty’ group targeted Middle Eastern gov'ts, stock exchange of African nation

A cyber espionage group is targeting the governments of several Middle Eastern nations and has previously attacked the stock exchange of an African country, using malware to steal troves of data. 

In a report published Thursday, the Symantec Threat Hunter Team named the espionage group “Witchetty” but said it has also been known as “LookingFrog.”

Attacks by Witchetty are identified by the use of two pieces of malware: one known as X4 and a second-stage payload known as LookBack. 

“From what we can see, their end goal is classic espionage, finding computers on the network, stealing data and exfiltrating it out of the organization,” said Dick O’Brien, a member of the Symantec Threat Hunter team.

The group has been updating its tools in recent months to employ steganography – a practice where hackers hide malicious code within an image. In Witchetty’s case, they hide the malware in a Microsoft Windows logo. 


The image used to spread the malware. (Symantec)

Symantec tracked attacks by the group from February to September, noting that in the three incidents they saw, the attackers exploited ProxyShell (CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207) and ProxyLogon (CVE-2021-26855 and CVE- 2021-27065) vulnerabilities to gain access.

Several national cybersecurity agencies have said ProxyShell and ProxyLogon are considered some of the most popular vulnerabilities exploited by threat groups.

From there, they stole credentials, moved laterally across the network and installed malware on other computers. 

The attack on a Middle Eastern government agency started on February 27 after the attackers exploited the ProxyShell vulnerability. Over the next few months, the hackers moved around the network, exfiltrated data and stole other information. 

The last actions took place on September 1, when the hackers downloaded several remote files. 

“Witchetty has demonstrated the ability to continually refine and refresh its toolset in order to compromise targets of interest,” the researchers said. 

“Exploitation of vulnerabilities on public-facing servers provides it with a route into organizations, while custom tools paired with adept use of living-off-the-land tactics allow it to maintain a long term, persistent presence in targeted organizations.”

O’Brien told The Record that they do not have enough information to make an attribution at the moment, but noted in the report that Witchetty was first documented in April by researchers with ESET, who said it was tied to a broader cyber-espionage operation linked to Chinese state-backed advanced persistent threat (APT) group named Cicada or APT10.

ESET reported that the group has targeted governments, diplomatic missions, charities, and industrial/manufacturing organizations. 

Symantec previously tied the group to an attack campaign targeting the VLC Media Player, leading the Indian government to outright ban the popular program earlier this year. In February, the group was accused of carrying out a months-long attack against Taiwan’s financial sector.

Anonymous research group IntrusionTruth revealed in 2018 that APT10 was based in Tianjin, China and allegedly operated out of the Tianjin State Security Bureau, a regional arm of the Chinese Ministry of State Security.

Rapid7 and Recorded Future implicated the group in another attack on Norwegian cloud service provider Visma AG in the summer of 2018.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
What is Threat Intelligence
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.