Register to stream ATT&CKcon 2.0 October 29-30

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

ID: G0089
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1203 Exploitation for Client Execution The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code. [1]
Enterprise T1107 File Deletion The White Company has the ability to delete its malware entirely from the target system. [1]
Enterprise T1063 Security Software Discovery The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET. [1]
Enterprise T1045 Software Packing The White Company has obfuscated their payloads through packing. [1]
Enterprise T1193 Spearphishing Attachment The White Company has sent phishing emails with malicious Microsoft Word attachments to victims. [1]
Enterprise T1124 System Time Discovery The White Company has checked the current date on the victim system. [1]
Enterprise T1204 User Execution The White Company has used phishing lure documents that trick users into opening them and infecting their computers. [1]
Enterprise T1497 Virtualization/Sandbox Evasion The White Company has performed anti-analysis checks to determine if its malware was in a debugging environment. [1]

Software

ID Name References Techniques
S0198 NETWIRE [1] Code Signing, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, System Information Discovery
S0379 Revenge RAT [1] Audio Capture, Command-Line Interface, Credential Dumping, Data Encoding, Indirect Command Execution, Input Capture, Mshta, PowerShell, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Scheduled Task, Screen Capture, Scripting, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Uncommonly Used Port, Video Capture, Web Service

References