JUST RELEASED: ATT&CK for Industrial Control Systems

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

ID: G0089
Version: 1.0
Created: 02 May 2019
Last Modified: 12 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution

The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[1]

Enterprise T1107 File Deletion

The White Company has the ability to delete its malware entirely from the target system.[1]

Enterprise T1063 Security Software Discovery

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[1]

Enterprise T1045 Software Packing

The White Company has obfuscated their payloads through packing.[1]

Enterprise T1193 Spearphishing Attachment

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[1]

Enterprise T1124 System Time Discovery

The White Company has checked the current date on the victim system.[1]

Enterprise T1204 User Execution

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[1]

Enterprise T1497 Virtualization/Sandbox Evasion

The White Company has performed anti-analysis checks to determine if its malware was in a debugging environment.[1]


ID Name References Techniques
S0198 NETWIRE [1] Code Signing, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, System Information Discovery
S0379 Revenge RAT [1] Audio Capture, Command-Line Interface, Credential Dumping, Data Encoding, Indirect Command Execution, Input Capture, Mshta, PowerShell, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Screen Capture, Scripting, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture, Web Service