White Rabbit

Threat Actor updated a month ago (2024-11-29T13:49:33.025Z)
Download STIX
Preview STIX
White Rabbit is a notable threat actor in the cybersecurity landscape, known for its malicious activities and association with other prominent hacking groups. The group's name, derived from the character in Alice's Adventures in Quantum Wonderland, signifies its unique approach to cyber attacks. In January 2022, White Rabbit was linked to Syssphinx, another notorious hacking group, when it was discovered that they were using a variant of the Sardonic backdoor, a tool commonly associated with Syssphinx. Furthermore, the group has been observed using various ransomware families such as Ragnar Locker, White Rabbit, and BlackCat, with particular attention given to their use of the White Rabbit ransomware, which itself is based on Sardonic. The White Rabbit ransomware is reportedly used by "club members" of the RansomHouse platform, as per Emisoft’s threat analyst Brett Callow. This platform is known for hosting attacks carried out using their own tools, including the White Rabbit ransomware. In addition, White Rabbit has been connected to malicious URLs and is known to exploit AI tools like FraudGPT, WormGPT, DarkBARD, and others to write malicious code, generate phishing pages and messages, identify leaks and vulnerabilities, and create hacking tools. Furthermore, a significant link was identified between White Rabbit and two other ransomware groups, BianLian and Mario, by cybersecurity company Resecurity in December. This collaboration was particularly focused on targeting financial services organizations, highlighting a new level of threat posed by these groups. The security firm Bleeping Computer has suggested moderate confidence in linking these attacks to the financially driven FIN8 hacking group, also known as Syssphinx and White Rabbit. Over the past few years, this group has been observed using a number of ransomware threats, further emphasizing the pervasive and evolving nature of the White Rabbit threat actor.
Description last updated: 2024-06-05T20:16:06.437Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
FIN8 is a possible alias for White Rabbit. FIN8, also known as Syssphinx, is a financially motivated cybercrime group that has been active since at least January 2016. This threat actor is notorious for targeting organizations across various sectors including hospitality, retail, entertainment, insurance, technology, chemicals, and finance.
2
Syssphinx is a possible alias for White Rabbit. Syssphinx, also known as FIN8, is a threat actor that has been active since 2016. This group is known for taking extended breaks between attack campaigns to refine its tactics, techniques, and procedures (TTPs). For instance, Syssphinx had used backdoor malware called Badhatch in attacks since 2019,
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Ragnar Locker Malware is associated with White Rabbit. Ragnar Locker is a type of malware, specifically ransomware, known for its destructive impact on computer systems. It infiltrates systems primarily through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operations, or hold data hostage for ransUnspecified
2
The Sardonic Malware is associated with White Rabbit. Sardonic is a sophisticated piece of malware, or malicious software, first identified in 2021. It was designed to exploit and damage computer systems, often infiltrating without the user's knowledge through suspicious downloads, emails, or websites. The malware could disrupt operations, steal personUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The BianLian Threat Actor is associated with White Rabbit. BianLian is a threat actor that has been active in cybercrime, leveraging various techniques for malicious intent. Prior to January 2024, the group used an encryptor (encryptor.exe) that modified all encrypted files to have the .bianlian extension and created a ransom note in each affected directoryUnspecified
2
Source Document References
Information about the White Rabbit Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
BankInfoSecurity
7 months ago
CERT-EU
10 months ago
DARKReading
a year ago
MITRE
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
Recorded Future
2 years ago
BankInfoSecurity
a year ago
Securityaffairs
a year ago
Recorded Future
2 years ago
Securityaffairs
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
a year ago