1. Home
  2. Groups
  3. The White Company

The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]

ID: G0089
Version: 1.1
Created: 02 May 2019
Last Modified: 30 March 2020
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1203 客户端执行漏洞利用

The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[1]
Enterprise T1027 .002 混淆文件或信息: Software Packing

The White Company has obfuscated their payloads through packing.[1]
Enterprise T1204 .002 用户执行: Malicious File

The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[1]
Enterprise T1070 .004 移除指标: File Deletion

The White Company has the ability to delete its malware entirely from the target system.[1]
Enterprise T1124 系统时间发现

The White Company has checked the current date on the victim system.[1]
Enterprise T1518 .001 软件发现: Security Software Discovery

The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[1]

Software

ID Name References Techniques
S0198 NETWIRE [1] 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证, 代理, 伪装: Match Legitimate Name or Location, 伪装: Invalid Code Signature, 修改注册表, 创建或修改系统进程: Launch Agent, 加密通道: Symmetric Cryptography, 加密通道, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 启动或登录自动启动执行: XDG Autostart Entries, 启动或登录自动启动执行: Login Items, 命令与脚本解释器: Visual Basic, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Unix Shell, 命令与脚本解释器: Windows Command Shell, 屏幕捕获, 应用层协议: Web Protocols, 应用窗口发现, 归档收集数据: Archive via Custom Method, 归档收集数据, 数据分段: Local Data Staging, 文件和目录发现, 本机API, 混淆文件或信息: Software Packing, 混淆文件或信息, 混淆文件或信息: Fileless Storage, 用户执行: Malicious File, 用户执行: Malicious Link, 系统信息发现, 系统网络连接发现, 系统网络配置发现, 网络服务, 自动化收集, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 进程注入: Process Hollowing, 钓鱼: Spearphishing Link, 钓鱼: Spearphishing Attachment, 隐藏伪装: Hidden Files and Directories, 非应用层协议, 预定任务/作业: Cron, 预定任务/作业: Scheduled Task
S0379 Revenge RAT [1] 启动或登录自动启动执行: Winlogon Helper DLL, 命令与脚本解释器: Windows Command Shell, 命令与脚本解释器: PowerShell, 屏幕捕获, 操作系统凭证转储, 数据编码: Standard Encoding, 系统二进制代理执行: Mshta, 系统信息发现, 系统所有者/用户发现, 系统网络配置发现, 网络服务: Bidirectional Communication, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 远程服务: Remote Desktop Protocol, 间接命令执行, 音频捕获, 预定任务/作业: Scheduled Task

References

  1. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.