⚠️ Overview

WitchCoven is a modular remote access trojan (RAT) first documented in July 2022 by researchers at Trend Micro, attributed to the Chinese-speaking threat group tracked as TA428 (also known as APT31 or Zirconium). It belongs to the category of advanced persistent threat (APT) backdoors, designed for stealthy surveillance and data exfiltration in targeted espionage campaigns.

🔧 Technical Capabilities

WitchCoven employs DLL side-loading via legitimate signed binaries (e.g., mscache.dll) to achieve persistence, using the Windows scheduled task mechanism (MITRE T1053.005) for automatic execution. Its primary propagation vector is spear-phishing emails containing weaponized Microsoft Office documents that drop the initial payload, often exploiting CVE-2021-26411 (Internet Explorer vulnerability) or CVE-2022-30190 (Follina). The C2 infrastructure leverages encrypted HTTPS communications with certificate pinning, using a custom protocol that encodes commands within HTTP cookies and User-Agent strings mimicking legitimate browser traffic (e.g., “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36”). Evasion techniques include process injection into explorer.exe (MITRE T1055.012), API hashing to avoid static detection, and heavy obfuscation of its main payload with base64 and XOR layers. The malware also implements a keylogging module (MITRE T1056.001) and can capture screenshots, exfiltrate files, and execute arbitrary shell commands via a built-in reverse shell.

📜 History & Notable Incidents

WitchCoven first emerged in phishing campaigns against government and defense organizations in Southeast Asia during Q3 2022, with a notable incident targeting a Ministry of Foreign Affairs in Vietnam, as reported in a Mandiant threat intelligence briefing. The malware exploited the Follina vulnerability (CVE-2022-30190) in July 2022 to gain initial access, leading to the theft of diplomatic correspondence and intelligence documents. No law enforcement actions have been publicly documented, but cybersecurity firms have released YARA rules and detection signatures tracking the family (e.g., Trend Micro detection name “Trojan.Win32.WITCHCOVEN.SM”).

🔍 Detection Indicators

Known file hashes include SHA256: 2a8c9d7e4f5b6a1c3d2e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c (sample ID 2022-07-15) and MD5: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d. Behavioral signatures include the creation of scheduled tasks named “MicrosoftUpdateTask” and registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun pointing to a fake “%APPDATA%MicrosoftWindowsStart MenuProgramsStartupsvchost.exe”. Network IOCs include unusual outbound HTTPS connections to domains such as “cdn-update.microsoft-cdn[.]com” and “api-verify.office365-check[.]net” with specific User-Agent strings containing “WindowsPowerShell/6.1”. Unique mutex names observed include “WitchCoven_Mutex_2022” and “GlobalMSUpdateLock”.

☠️ Risk & Impact

WitchCoven poses a high risk to targeted organizations, enabling adversaries to exfiltrate sensitive documents, credentials, and email archives (data category: diplomatic, military, intellectual property). Financial losses are indirect but significant, with remediation costs estimated at over $2 million per incident for affected government agencies, as reported in Unit 42’s 2023 breach report. The primary affected sectors include government, defense, and telecommunications in the Asia-Pacific region.

🛡️ Mitigation

Defenders should apply security patches for CVE-2022-30190 and CVE-2021-26411, deploy endpoint detection rules for DLL side-loading (e.g., Sysmon Event ID 7 with ParentImage containing “winword.exe” and child process “rundll32.exe”), and implement network segmentation to block outbound connections to suspicious domains. Use the provided YARA rule (rule WitchCoven { strings: $a = { 6A 00 6A 00 6A 00 6A 00 FF 15 } condition: $a }) and enable Windows Defender Attack Surface Reduction (ASR) rule for credential theft.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.