1. Home
  2. Software
  3. STARWHALE

STARWHALE

STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.[1][2]

ID: S1037
Associated Software: CANOPY
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 18 August 2022
Last Modified: 11 April 2024

Associated Software Descriptions

Name Description
CANOPY

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

STARWHALE can collect data from an infected local host.[2]
Enterprise T1543 .003 创建或修改系统进程: Windows Service

STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem".[1]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key.[2][1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

STARWHALE has the ability to execute commands via cmd.exe.[1]
.005 命令与脚本解释器: Visual Basic

STARWHALE can use the VBScript function GetRef as part of its persistence mechanism.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.[1][2]
Enterprise T1074 .001 数据分段: Local Data Staging

STARWHALE has stored collected data in a file called stari.txt.[1]
Enterprise T1132 .001 数据编码: Standard Encoding

STARWHALE has the ability to hex-encode collected data from an infected host.[2]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

STARWHALE has been obfuscated with hex-encoded strings.[2]
Enterprise T1204 .002 用户执行: Malicious File

STARWHALE has relied on victims opening a malicious Excel file for execution.[2]
Enterprise T1082 系统信息发现

STARWHALE can gather the computer name of an infected host.[1][2]
Enterprise T1033 系统所有者/用户发现

STARWHALE can gather the username from an infected host.[1][2]

Enterprise T1016 系统网络配置发现

STARWHALE has the ability to collect the IP address of an infected host.[2]
Enterprise T1041 通过C2信道渗出

STARWHALE can exfiltrate collected data to its C2 servers.[2]

Groups That Use This Software

ID Name References
G0069 MuddyWater

[2]

References

  1. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  1. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.