Whitefly is a threat actor that has been active since at least 2017, primarily targeting organizations in Singapore across various sectors with the intent to steal large volumes of sensitive information. This group is known for its advanced capabilities and extensive arsenal of tools, including custom malware, open-source hacking tools like Termite, and living-off-the-land tactics such as malicious PowerShell scripts. Whitefly first infiltrates its victims using a dropper disguised as a document or image file, which then deploys an executable or dynamic link library (DLL) file to compromise the system.
The group was responsible for the significant SingHealth breach, among other attacks in Singapore between mid-2017 and mid-2018. Once inside a network, Whitefly maps the infrastructure and infects further computers, often maintaining a presence within the targeted organization for months to extract large amounts of data. The use of a multi-purpose command tool by Whitefly has also been detected in attacks against defense, telecoms, and energy targets in Southeast Asia and Russia, indicating its broad reach.
Whitefly's modus operandi involves the use of search order hijacking technique to run Vcrodat, a malicious DLL that often bears the same name as DLLs belonging to legitimate software from various security vendors. In some instances, the group has deployed another custom malware, Trojan.Nibatad, which also leverages search order hijacking to download an encrypted payload onto the infected computer. Whitefly configures multiple Command & Control (C&C) domains for each target, illustrating its sophisticated approach to maintaining long-term network access and exfiltrating data.
Description last updated: 2024-05-05T13:34:11.155Z