The term WhiteBear is used both for the activity group (a subset of G0010) as well as the malware observed. Based on similarities in behavior and C2, WhiteBear is assessed to be the same as S0168. 
|Enterprise||T1071||.001||Application Layer Protocol: Web Protocols|
|Enterprise||T1547||.001||Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder||
Gazer can establish persistence by creating a .lnk file in the Start menu.
|.004||Boot or Logon Autostart Execution: Winlogon Helper DLL||
Gazer can establish persistence by setting the value "Shell" with "explorer.exe, %malware_pathfile%" under the Registry key
|.009||Boot or Logon Autostart Execution: Shortcut Modification||
Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.
|Enterprise||T1573||.001||Encrypted Channel: Symmetric Cryptography|
|.002||Encrypted Channel: Asymmetric Cryptography|
|Enterprise||T1546||.002||Event Triggered Execution: Screensaver||
Gazer can establish persistence through the system screensaver by configuring it to execute the malware.
|Enterprise||T1564||.004||Hide Artifacts: NTFS File Attributes||
Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.
|Enterprise||T1070||.004||Indicator Removal: File Deletion||
Gazer has commands to delete files and persistence mechanisms from the victim.
|.006||Indicator Removal: Timestomp||
For early Gazer versions, the compilation timestamp was faked.
|Enterprise||T1105||Ingress Tool Transfer|
|Enterprise||T1027||Obfuscated Files or Information||
Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.
Gazer injects its communication module into an Internet accessible process through which it performs C2.
|.003||Thread Execution Hijacking||
Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.
|Enterprise||T1053||.005||Scheduled Task/Job: Scheduled Task||
Gazer can establish persistence by creating a scheduled task.
|Enterprise||T1553||.002||Subvert Trust Controls: Code Signing||
Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for "Solid Loop Ltd," and another was issued for "Ultimate Computer Support Ltd."
|Enterprise||T1033||System Owner/User Discovery|