STARWHALE

Starwhale is a malicious software (malware) identified by Mandiant during an investigation, which operates as a Windows Script File (WSF) backdoor. This malware communicates via HTTP with a command and control (C2) server, receiving commands and executing them through Windows cmd.exe. Starwhale infiltrates systems typically through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations, steal personal information, or even hold data for ransom. It was observed being executed with a command-line argument "humpback__whale," used in the code to dynamically resolve functions at runtime using the VBScript function GetRef. During the intrusion, Mandiant also identified another targeted malware named Gramdoor, which shares significant design similarities with Starwhale but is written in Golang. Both Starwhale and Gramdoor implement simple backdoor functionalities and share logic in their custom encoding scheme used for data and commands sent to and received from their respective C2 servers. Additionally, they were found to pass commands back and forth between Telegram chat messages, as demonstrated by specific code snippets. Starwhale uses a unique persistence method, communicating with its hardcoded C2 server through continuous HTTP POST requests. If the initial request is successful, it begins sending a session key in a loop to its C2 server. The malware also employs a custom delimiter "|!)!)!|" for system enumeration information passed via the POST request parameter. Furthermore, Starwhale.GO, a variant of Starwhale, uses a different delimiter “|&&%&&|” but sends the same enumerated information to its hardcoded C2 IP address. These findings underscore the complexity and adaptability of the Starwhale malware.