Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]

ID: G0107
Version: 1.2
Created: 26 May 2020
Last Modified: 10 April 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.[1]

Enterprise T1068 Exploitation for Privilege Escalation

Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Whitefly has used search order hijacking to run the loader Vcrodat.[1]

Enterprise T1105 Ingress Tool Transfer

Whitefly has the ability to download additional tools from the C2.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[1]

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

Whitefly has encrypted the payload used for C2.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Whitefly has obtained and used tools such as Mimikatz.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Whitefly has used Mimikatz to obtain credentials.[1]

Enterprise T1204 .002 User Execution: Malicious File

Whitefly has used malicious .exe or .dll files disguised as documents or images.[1]

Software

References