Skip to content

G0089 The White Company

The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.1

Item Value
ID G0089
Associated Names
Version 1.1
Created 02 May 2019
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1203 Exploitation for Client Execution The White Company has taken advantage of a known vulnerability in Microsoft Word (CVE 2012-0158) to execute code.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion The White Company has the ability to delete its malware entirely from the target system.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.002 Software Packing The White Company has obfuscated their payloads through packing.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.1
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery The White Company has checked for specific antivirus products on the target’s computer, including Kaspersky, Quick Heal, AVG, BitDefender, Avira, Sophos, Avast!, and ESET.1
enterprise T1124 System Time Discovery The White Company has checked the current date on the victim system.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File The White Company has used phishing lure documents that trick users into opening them and infecting their computers.1

Software

ID Name References Techniques
S0198 NETWIRE 1 Web Protocols:Application Layer Protocol Application Window Discovery Archive Collected Data Archive via Custom Method:Archive Collected Data Automated Collection XDG Autostart Entries:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Encrypted Channel Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Invalid Code Signature:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Software Packing:Obfuscated Files or Information Obfuscated Files or Information Fileless Storage:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Scheduled Task:Scheduled Task/Job Cron:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious File:User Execution Malicious Link:User Execution Web Service
S0379 Revenge RAT 1 Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding Indirect Command Execution Ingress Tool Transfer Keylogging:Input Capture OS Credential Dumping Remote Desktop Protocol:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Mshta:System Binary Proxy Execution System Information Discovery System Network Configuration Discovery System Owner/User Discovery Video Capture Bidirectional Communication:Web Service

References

  1. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.