STARWHALE

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Starwhale is a malicious software (malware) identified by Mandiant during an investigation, which operates as a Windows Script File (WSF) backdoor. This malware communicates via HTTP with a command and control (C2) server, receiving commands and executing them through Windows cmd.exe. Starwhale infiltrates systems typically through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations, steal personal information, or even hold data for ransom. It was observed being executed with a command-line argument "humpback__whale," used in the code to dynamically resolve functions at runtime using the VBScript function GetRef. During the intrusion, Mandiant also identified another targeted malware named Gramdoor, which shares significant design similarities with Starwhale but is written in Golang. Both Starwhale and Gramdoor implement simple backdoor functionalities and share logic in their custom encoding scheme used for data and commands sent to and received from their respective C2 servers. Additionally, they were found to pass commands back and forth between Telegram chat messages, as demonstrated by specific code snippets. Starwhale uses a unique persistence method, communicating with its hardcoded C2 server through continuous HTTP POST requests. If the initial request is successful, it begins sending a session key in a loop to its C2 server. The malware also employs a custom delimiter "|!)!)!|" for system enumeration information passed via the POST request parameter. Furthermore, Starwhale.GO, a variant of Starwhale, uses a different delimiter “|&&%&&|” but sends the same enumerated information to its hardcoded C2 IP address. These findings underscore the complexity and adaptability of the Starwhale malware.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Mandiant
Backdoor
Windows
Malware
Beacon
Telegram
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Unc3313Unspecified
1
UNC3313, a threat actor group identified by Mandiant, has been actively involved in cyber-attacks targeting Middle Eastern government and technology entities since the second half of 2021. The group leverages a range of malware families, including GRAMDOOR, a Python-written backdoor that communicate
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Starwhale Md5Unspecified
1
None
Source Document References
Information about the STARWHALE Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity