The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

ID: G0089
Version: 1.1
Created: 02 May 2019
Last Modified: 30 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution

The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

The White Company has the ability to delete its malware entirely from the target system.[1]

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

The White Company has obfuscated their payloads through packing.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[1]

Enterprise T1518 .001 Software Discovery: Security Software Discovery

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[1]

Enterprise T1124 System Time Discovery

The White Company has checked the current date on the victim system.[1]

Enterprise T1204 .002 User Execution: Malicious File

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[1]

Software

ID Name References Techniques
S0198 NETWIRE [1] Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Plist Modification, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information, Obfuscated Files or Information: Software Packing, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Process Hollowing, Process Injection, Proxy, Scheduled Task/Job: Scheduled Task, Scheduled Task/Job: Cron, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious File, User Execution: Malicious Link, Web Service
S0379 Revenge RAT [1] Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Data Encoding: Standard Encoding, Indirect Command Execution, Ingress Tool Transfer, Input Capture: Keylogging, OS Credential Dumping, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Screen Capture, Signed Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication

References