Whitefly
Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | Command and Scripting Interpreter |
Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.[1] |
|
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[1] |
|
| Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
Whitefly has used search order hijacking to run the loader Vcrodat.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
Whitefly has the ability to download additional tools from the C2.[1] |
|
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[1] |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File | |
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool | |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory | |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Whitefly has used malicious .exe or .dll files disguised as documents or images.[1] |