Skip to content

G0107 Whitefly

Whitefly is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.1

Item Value
ID G0107
Associated Names
Version 1.1
Created 26 May 2020
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter Whitefly has used a simple remote shell tool that will call back to the C2 server and wait for commands.1
enterprise T1068 Exploitation for Privilege Escalation Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Whitefly has used search order hijacking to run the loader Vcrodat.1
enterprise T1105 Ingress Tool Transfer Whitefly has the ability to download additional tools from the C2.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.1
enterprise T1027 Obfuscated Files or Information Whitefly has encrypted the payload used for C2.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Whitefly has obtained and used tools such as Mimikatz.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Whitefly has used Mimikatz to obtain credentials.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Whitefly has used malicious .exe or .dll files disguised as documents or images.1

Software

ID Name References Techniques
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material

References