The White Company
The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1203 | Exploitation for Client Execution |
The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.[1] |
|
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion |
The White Company has the ability to delete its malware entirely from the target system.[1] |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
The White Company has obfuscated their payloads through packing.[1] |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.[1] |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.[1] |
| Enterprise | T1124 | System Time Discovery |
The White Company has checked the current date on the victim system.[1] |
|
| Enterprise | T1204 | .002 | User Execution: Malicious File |
The White Company has used phishing lure documents that trick users into opening them and infecting their computers.[1] |