Attacks/Breaches

3/6/2019
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

New Threat Group Using Old Technique to Run Custom Malware

Whitefly is exploiting DLL hijacking with considerable success against organizations since at least 2017, Symantec says.

Whitefly, a previously unknown threat group targeting organizations in Singapore, is the latest to demonstrate just how effective some long-standing attack techniques and tools continue to be for breaking into and maintaining persistence on enterprise networks.

In a report Wednesday, Symantec identified Whitefly as the group responsible for an attack on Singapore healthcare organization SingHealth last July that resulted in the theft of 1.5 million patient records. The attack is one of several that Whitefly has carried out in Singapore since at least 2017.

Whitefly's targets have included organizations in the telecommunications, healthcare, engineering, and media sectors. Most of the victims have been Singapore-based companies, but a handful of multinational firms with operations in the country have been affected as well.

Like many threat groups, Whitefly has been using a combination of custom malware, open source tools, and living-off-the-land tactics in its attacks. One of them is a well-documented technique known as search-order hijacking or DLL load-order attacks.

Whitefly has been consistently using the approach to run a custom malware tool called Vcrodat on compromised systems. Vcrodat is designed to decrypt, load, and launch files to run in memory on victim systems, according to Symantec.

Search-order hijacking is a well-known technique that other attackers have used for quite some time, says Jon DiMaggio, senior threat intelligence analyst at Symantec.

The technique exploits the predictable manner in which Windows loads dynamic link libraries (DLLs) when an application itself does not explicitly specify the path. Attackers can abuse the process to get Windows to load a malicious DLL instead of the legitimate one.

"If the import name of the DLL matches the name of an authorized library, the OS will map the DLL to the process in memory of the victim system," DiMaggio says. With Vcrodat, for instance, what Whitefly frequently has been doing is using DLLs with the same name as DLLs belonging to legitimate security software. "Defeating search order hijacking on its own can be difficult since it is not a recognized vulnerability but instead a legitimate OS component being misused," DiMaggio says.

But security and anti-malware tools exist that can prevent malicious DLLs from running. And keeping apps and operating systems properly patched can mitigate the risk too, he says.

In addition to DLL hijacking, Whitefly has been using other commonly known tools in its attacks as well. For instance, once the group compromises an initial computer, it maps the network and tries to infect other computers. The group has been does this using the open source Mimikatz credential gathering tool and another open source tool that exploits a previously known Windows privilege escalation vulnerability (CVE-2016-0051). "If the victim had patched against this vulnerability, the attack would be unsuccessful and the attacker would be forced to find another infection vector," DiMaggio says.

Whitefly has also been using a combination of legitimate tools such as PowerShell and other publicly available hacking tools — such as those used for penetration testing — to remain undetected on compromised networks for as long as possible.

By living off the land and using tools already in the environment, Whitefly has been blending its malicious activity with traffic and tool use associated with legitimate administrative activity. "Since anyone can download these tools, it's almost impossible to use them for attribution," DiMaggio notes.

Whitefly currently appears to be focused only on organizations in Singapore. But its tactics, techniques, and procedures are similar to those used by numerous other groups, including low-level cybercrime gangs that increasingly have been borrowing ideas from persistent threat actors and state-sponsored players.

Importantly, some of the tools that the group has developed — including Vcrodat and a multipurpose command tool — have been used in attacks outside Singapore. While it is possible that Whitefly was responsible for these attacks, it is more likely that other attackers have access to the same tools, Symantec said in its report.

"Attackers continue to use creative ways to infect targets," DiMaggio says. "Whitefly is persistent and has been successful at compromising targets and maintaining an undetected presence on the victim network for months at a time." For enterprise organizations, such campaigns highlight the need to monitor for both malicious and legitimate activity, he says.

Related Content:

  

 

 

Join Dark Reading LIVE for two cybersecurity summits at Interop 2019. Learn from the industry's most knowledgeable IT security experts. Check out the Interop agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.
CVE-2018-8825
PUBLISHED: 2019-04-23
Google TensorFlow 1.7 and below is affected by: Buffer Overflow. The impact is: execute arbitrary code (local).
CVE-2019-10688
PUBLISHED: 2019-04-23
VVX products using UCS software version 5.8.0 and earlier with Better Together over Ethernet Connector (BToE) application version 3.8.0 and earlier uses hard-coded credentials to establish a connection between the host application and device.