Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Threat Group Using Old Technique to Run Custom Malware

Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says.

Whitefly, a previously unknown threat group targeting organizations in Singapore, is the latest to demonstrate just how effective some long-standing attack techniques and tools continue to be for breaking into and maintaining persistence on enterprise networks.

In a report Wednesday, Symantec identified Whitefly as the group responsible for an attack on Singapore healthcare organization SingHealth last July that resulted in the theft of 1.5 million patient records. The attack is one of several that Whitefly has carried out in Singapore since at least 2017.

Whitefly's targets have included organizations in the telecommunications, healthcare, engineering, and media sectors. Most of the victims have been Singapore-based companies, but a handful of multinational firms with operations in the country have been affected as well.

Like many threat groups, Whitefly has been using a combination of custom malware, open source tools, and living-off-the-land tactics in its attacks. One of them is a well-documented technique known as search-order hijacking or DLL load-order attacks.

Whitefly has been consistently using the approach to run a custom malware tool called Vcrodat on compromised systems. Vcrodat is designed to decrypt, load, and launch files to run in memory on victim systems, according to Symantec.

Search-order hijacking is a well-known technique that other attackers have used for quite some time, says Jon DiMaggio, senior threat intelligence analyst at Symantec.

The technique exploits the predictable manner in which Windows loads dynamic link libraries (DLLs) when an application itself does not explicitly specify the path. Attackers can abuse the process to get Windows to load a malicious DLL instead of the legitimate one.

"If the import name of the DLL matches the name of an authorized library, the OS will map the DLL to the process in memory of the victim system," DiMaggio says. With Vcrodat, for instance, what Whitefly frequently has been doing is using DLLs with the same name as DLLs belonging to legitimate security software. "Defeating search order hijacking on its own can be difficult since it is not a recognized vulnerability but instead a legitimate OS component being misused," DiMaggio says.

But security and anti-malware tools exist that can prevent malicious DLLs from running. And keeping apps and operating systems properly patched can mitigate the risk too, he says.

In addition to DLL hijacking, Whitefly has been using other commonly known tools in its attacks as well. For instance, once the group compromises an initial computer, it maps the network and tries to infect other computers. The group has been does this using the open source Mimikatz credential gathering tool and another open source tool that exploits a previously known Windows privilege escalation vulnerability (CVE-2016-0051). "If the victim had patched against this vulnerability, the attack would be unsuccessful and the attacker would be forced to find another infection vector," DiMaggio says.

Whitefly has also been using a combination of legitimate tools such as PowerShell and other publicly available hacking tools — such as those used for penetration testing — to remain undetected on compromised networks for as long as possible.

By living off the land and using tools already in the environment, Whitefly has been blending its malicious activity with traffic and tool use associated with legitimate administrative activity. "Since anyone can download these tools, it's almost impossible to use them for attribution," DiMaggio notes.

Whitefly currently appears to be focused only on organizations in Singapore. But its tactics, techniques, and procedures are similar to those used by numerous other groups, including low-level cybercrime gangs that increasingly have been borrowing ideas from persistent threat actors and state-sponsored players.

Importantly, some of the tools that the group has developed — including Vcrodat and a multipurpose command tool — have been used in attacks outside Singapore. While it is possible that Whitefly was responsible for these attacks, it is more likely that other attackers have access to the same tools, Symantec said in its report.

"Attackers continue to use creative ways to infect targets," DiMaggio says. "Whitefly is persistent and has been successful at compromising targets and maintaining an undetected presence on the victim network for months at a time." For enterprise organizations, such campaigns highlight the need to monitor for both malicious and legitimate activity, he says.

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...