Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.[1]

ID: G0107
Version: 1.0
Created: 26 May 2020
Last Modified: 27 May 2020

Techniques Used

Domain ID Name Use
Enterprise T1059 Command and Scripting Interpreter

Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.[1]

Enterprise T1068 Exploitation for Privilege Escalation

Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[1]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

Whitefly has used search order hijacking to run the loader Vcrodat.[1]

Enterprise T1105 Ingress Tool Transfer

Whitefly has the ability to download additional tools from the C2.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.[1]

Enterprise T1027 Obfuscated Files or Information

Whitefly has encrypted the payload used for C2.[1]

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Whitefly has used Mimikatz to obtain credentials.[1]

Enterprise T1204 .002 User Execution: Malicious File

Whitefly has used malicious .exe or .dll files disguised as documents or images.[1]

Software

ID Name References Techniques
S0002 Mimikatz

[1]

Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, OS Credential Dumping: LSASS Memory, OS Credential Dumping: DCSync, OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Silver Ticket, Steal or Forge Kerberos Tickets: Golden Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Hash, Use Alternate Authentication Material: Pass the Ticket

References