Dangerous malware is smuggled by Chinese hackers.

Some cybercriminals have managed to hide malicious code in Windows logos. Hackers hide malicious code in logos and spread the virus. Logos were said to be harmless, but this isn’t the case anymore. This process is known as steganography.

Steganography is usually done to avoid detection by antivirus programs. Antivirus software doesn’t detect viruses in images.

The group that attacks is known as Witchetty in this process of steganography. This group is also tied to Chinese state-sponsored actor Cicada (APT10). It is also said to be part of TA410 which attacked US energy providers in the past.

The group managed to attack two groups of government in the Middle East in their campaign in February 2022. Their attack on the African stock exchange is still active. Witchetty uses the process of steganography to hide an XOR, cloud based server, encrypted backdoor that leads to minimizing the detection of viruses in the system. The attackers exploited vulnerabilities of known platforms like Microsoft Exchange to get initial access: CVE-2021-34473, CVE-2021-31207, CVE-2021-26855, CVE-2021-34523, CVE-2021-27065, and CV-2021-26855.

According to Symantec, this process allows attackers to host it on a trusted service. There will be fewer red flags raised if attackers use trusted hosts like GitHub than attacker-controlled servers.

XOR encryption allows the attacker to run and terminate processes, tamper with files and folders, Windows registry tweaking, steal documents, download additional malware, and turn a compromised endpoint into a C2 server.

Cicada was successful in attacking the VLC media player to spread malware in government agencies and adjacent organizations in Canada, the USA, Turkey, Hong Kong, India, Israel, Italy, and Montenegro. So, the logos are not safe from malware these days too which were supposed to be harmless in the back days.