S1037 STARWHALE
STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.21
| Item | Value |
|---|---|
| ID | S1037 |
| Associated Names | CANOPY |
| Type | MALWARE |
| Version | 1.0 |
| Created | 18 August 2022 |
| Last Modified | 14 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| CANOPY | 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.21 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | STARWHALE has the ability to execute commands via cmd.exe.2 |
| enterprise | T1059.005 | Visual Basic | STARWHALE can use the VBScript function GetRef as part of its persistence mechanism.2 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem".2 |
| enterprise | T1132 | Data Encoding | - |
| enterprise | T1132.001 | Standard Encoding | STARWHALE has the ability to hex-encode collected data from an infected host.1 |
| enterprise | T1005 | Data from Local System | STARWHALE can collect data from an infected local host.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | STARWHALE has stored collected data in a file called stari.txt.2 |
| enterprise | T1041 | Exfiltration Over C2 Channel | STARWHALE can exfiltrate collected data to its C2 servers.1 |
| enterprise | T1027 | Obfuscated Files or Information | STARWHALE has been obfuscated with hex-encoded strings.1 |
| enterprise | T1082 | System Information Discovery | STARWHALE can gather the computer name of an infected host.21 |
| enterprise | T1016 | System Network Configuration Discovery | STARWHALE has the ability to collect the IP address of an infected host.1 |
| enterprise | T1033 | System Owner/User Discovery | STARWHALE can gather the username from an infected host.21 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | STARWHALE has relied on victims opening a malicious Excel file for execution.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0069 | MuddyWater | 1 |
References
-
FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. ↩↩↩↩↩↩↩↩↩