The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.^[1]

ID: G0089

Version: 1.1

Created: 02 May 2019

Last Modified: 30 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1203		Exploitation for Client Execution	The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.^[1]
Enterprise	T1070	.004	Indicator Removal: File Deletion	The White Company has the ability to delete its malware entirely from the target system.^[1]
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	The White Company has obfuscated their payloads through packing.^[1]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.^[1]
Enterprise	T1518	.001	Software Discovery: Security Software Discovery	The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.^[1]
Enterprise	T1124		System Time Discovery	The White Company has checked the current date on the victim system.^[1]
Enterprise	T1204	.002	User Execution: Malicious File	The White Company has used phishing lure documents that trick users into opening them and infecting their computers.^[1]

Software

ID	Name	References	Techniques
S0198	NETWIRE	^[1]	Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data: Archive via Custom Method, Archive Collected Data, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Login Items, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Unix Shell, Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel: Symmetric Cryptography, Encrypted Channel, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Match Legitimate Name or Location, Masquerading: Invalid Code Signature, Modify Registry, Native API, Non-Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Obfuscated Files or Information: Fileless Storage, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection, Process Injection: Process Hollowing, Proxy, Scheduled Task/Job: Cron, Scheduled Task/Job: Scheduled Task, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious File, User Execution: Malicious Link, Web Service
S0379	Revenge RAT	^[1]	Audio Capture, Boot or Logon Autostart Execution: Winlogon Helper DLL, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, Indirect Command Execution, Ingress Tool Transfer, Input Capture: Keylogging, OS Credential Dumping, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, Screen Capture, System Binary Proxy Execution: Mshta, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery, Video Capture, Web Service: Bidirectional Communication

References

Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

The White Company

Enterprise Layer

Techniques Used

Software

References