Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

3/6/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Threat Group Using Old Technique to Run Custom Malware

Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says.

Whitefly, a previously unknown threat group targeting organizations in Singapore, is the latest to demonstrate just how effective some long-standing attack techniques and tools continue to be for breaking into and maintaining persistence on enterprise networks.

In a report Wednesday, Symantec identified Whitefly as the group responsible for an attack on Singapore healthcare organization SingHealth last July that resulted in the theft of 1.5 million patient records. The attack is one of several that Whitefly has carried out in Singapore since at least 2017.

Whitefly's targets have included organizations in the telecommunications, healthcare, engineering, and media sectors. Most of the victims have been Singapore-based companies, but a handful of multinational firms with operations in the country have been affected as well.

Like many threat groups, Whitefly has been using a combination of custom malware, open source tools, and living-off-the-land tactics in its attacks. One of them is a well-documented technique known as search-order hijacking or DLL load-order attacks.

Whitefly has been consistently using the approach to run a custom malware tool called Vcrodat on compromised systems. Vcrodat is designed to decrypt, load, and launch files to run in memory on victim systems, according to Symantec.

Search-order hijacking is a well-known technique that other attackers have used for quite some time, says Jon DiMaggio, senior threat intelligence analyst at Symantec.

The technique exploits the predictable manner in which Windows loads dynamic link libraries (DLLs) when an application itself does not explicitly specify the path. Attackers can abuse the process to get Windows to load a malicious DLL instead of the legitimate one.

"If the import name of the DLL matches the name of an authorized library, the OS will map the DLL to the process in memory of the victim system," DiMaggio says. With Vcrodat, for instance, what Whitefly frequently has been doing is using DLLs with the same name as DLLs belonging to legitimate security software. "Defeating search order hijacking on its own can be difficult since it is not a recognized vulnerability but instead a legitimate OS component being misused," DiMaggio says.

But security and anti-malware tools exist that can prevent malicious DLLs from running. And keeping apps and operating systems properly patched can mitigate the risk too, he says.

In addition to DLL hijacking, Whitefly has been using other commonly known tools in its attacks as well. For instance, once the group compromises an initial computer, it maps the network and tries to infect other computers. The group has been does this using the open source Mimikatz credential gathering tool and another open source tool that exploits a previously known Windows privilege escalation vulnerability (CVE-2016-0051). "If the victim had patched against this vulnerability, the attack would be unsuccessful and the attacker would be forced to find another infection vector," DiMaggio says.

Whitefly has also been using a combination of legitimate tools such as PowerShell and other publicly available hacking tools — such as those used for penetration testing — to remain undetected on compromised networks for as long as possible.

By living off the land and using tools already in the environment, Whitefly has been blending its malicious activity with traffic and tool use associated with legitimate administrative activity. "Since anyone can download these tools, it's almost impossible to use them for attribution," DiMaggio notes.

Whitefly currently appears to be focused only on organizations in Singapore. But its tactics, techniques, and procedures are similar to those used by numerous other groups, including low-level cybercrime gangs that increasingly have been borrowing ideas from persistent threat actors and state-sponsored players.

Importantly, some of the tools that the group has developed — including Vcrodat and a multipurpose command tool — have been used in attacks outside Singapore. While it is possible that Whitefly was responsible for these attacks, it is more likely that other attackers have access to the same tools, Symantec said in its report.

"Attackers continue to use creative ways to infect targets," DiMaggio says. "Whitefly is persistent and has been successful at compromising targets and maintaining an undetected presence on the victim network for months at a time." For enterprise organizations, such campaigns highlight the need to monitor for both malicious and legitimate activity, he says.

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
7 Ways VPNs Can Turn from Ally to Threat
Curtis Franklin Jr., Senior Editor at Dark Reading,  9/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16695
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter.php table parameter when action=add is used.
CVE-2019-16696
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/edit.php table parameter when action=add is used.
CVE-2018-21018
PUBLISHED: 2019-09-22
Mastodon before 2.6.3 mishandles timeouts of incompletely established sessions.
CVE-2019-16692
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/filter-result.php table parameter when action=add is used.
CVE-2019-16693
PUBLISHED: 2019-09-22
phpIPAM 1.4 allows SQL injection via the app/admin/custom-fields/order.php table parameter when action=add is used.