New Threat Group Using Old Technique to Run Custom Malware

  /     /     /  
Publicated : 23/11/2024   Category : security


New Threat Group Using Old Technique to Run Custom Malware


Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says.



Whitefly, a previously unknown threat group targeting organizations in Singapore, is the latest to demonstrate just how effective some long-standing attack techniques and tools continue to be for breaking into and maintaining persistence on enterprise networks.
In a report Wednesday, Symantec identified Whitefly as the group responsible for an attack on Singapore healthcare organization SingHealth last July that resulted in the theft of 1.5 million patient records. The attack is one of several that Whitefly has carried out in Singapore since at least 2017.
Whiteflys targets have included organizations in the telecommunications, healthcare, engineering, and media sectors. Most of the victims have been Singapore-based companies, but a handful of multinational firms with operations in the country have been affected as well.
Like many threat groups, Whitefly has been using a combination of custom malware, open source tools, and living-off-the-land tactics in its attacks. One of them is a well-documented technique known as search-order hijacking or DLL load-order attacks.
Whitefly has been consistently using the approach to run a custom malware tool called Vcrodat on compromised systems. Vcrodat is designed to decrypt, load, and launch files to run in memory on victim systems,
according
to Symantec.
Search-order hijacking is a well-known technique that other attackers have used for quite some time, says Jon DiMaggio, senior threat intelligence analyst at Symantec.
The
technique
 exploits the predictable manner in which Windows loads dynamic link libraries (DLLs) when an application itself does not explicitly specify the path. Attackers can abuse the process to get Windows to load a malicious DLL instead of the legitimate one.
If the import name of the DLL matches the name of an authorized library, the OS will map the DLL to the process in memory of the victim system, DiMaggio says. With Vcrodat, for instance, what Whitefly frequently has been doing is using DLLs with the same name as DLLs belonging to legitimate security software. Defeating search order hijacking on its own can be difficult since it is not a recognized vulnerability but instead a legitimate OS component being misused, DiMaggio says.
But security and anti-malware tools exist that can prevent malicious DLLs from running. And keeping apps and operating systems properly patched can mitigate the risk too, he says.
In addition to DLL hijacking, Whitefly has been using other commonly known tools in its attacks as well. For instance, once the group compromises an initial computer, it maps the network and tries to infect other computers. The group has been does this using the open source Mimikatz credential gathering tool and another open source tool that exploits a previously known Windows privilege escalation vulnerability (
CVE-2016-0051
). If the victim had patched against this vulnerability, the attack would be unsuccessful and the attacker would be forced to find another infection vector, DiMaggio says.
Whitefly has also been using a combination of legitimate tools such as PowerShell and other publicly available hacking tools — such as those used for penetration testing — to remain undetected on compromised networks for as long as possible.
By living off the land and using tools already in the environment, Whitefly has been blending its malicious activity with traffic and tool use associated with legitimate administrative activity. Since anyone can download these tools, its almost impossible to use them for attribution, DiMaggio notes.
Whitefly currently appears to be focused only on organizations in Singapore. But its tactics, techniques, and procedures are similar to those used by numerous other groups, including low-level cybercrime gangs that increasingly have been borrowing ideas from persistent threat actors and state-sponsored players.
Importantly, some of the tools that the group has developed — including Vcrodat and a multipurpose command tool — have been used in attacks outside Singapore. While it is possible that Whitefly was responsible for these attacks, it is more likely that other attackers have access to the same tools, Symantec said in its report.
Attackers continue to use creative ways to infect targets, DiMaggio says. Whitefly is persistent and has been successful at compromising targets and maintaining an undetected presence on the victim network for months at a time. For enterprise organizations, such campaigns highlight the need to monitor for both malicious and legitimate activity, he says.
Related Content:
New Threat Group Conducts Malwareless Cyber Espionage
Attackers Using Legitimate Remote Admin Tool in Multiple Threat Campaigns
CrowdStrike: More Organizations Now Self-Detect Their Own Cyberattacks
10 Ways to Protect Protocols That Arent DNS
  
 
 
Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industrys most knowledgeable IT security experts. Check out the
Interop agenda
here.

Last News

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
New Threat Group Using Old Technique to Run Custom Malware