Whitefly: Espionage Group has Singapore in Its Sights
(Mar 6, 2019)
A threat group called "Whitefly," has been attributed to the July 2018 breach of the Singaporean company, "SingHealth," and is suspected to continuously be conducting attacks against organisations based in Singapore, according to Symantec researchers. The group uses spear phishing emails as the initial infection vector that contain malicious images or documents that pretend to be relevant to the user's organisation to increase the likelihood of it being opened. If opened, a trojan is downloaded onto the machine to obtain privilege escalation, and then contacts the Command and Control (C2) server. The C2 sends information to download additional malicious tools such as Mimikatz, a custom-made malware to facilitate information stealing, and open-source tool "Termite," which allows Whitefly the ability to conduct more complex actions such as controlling multiple compromised machines at a time. The threat group is believed to be sophisticated because of the ability to maintain presence on a network for a long time before discovery.
Recommendation: Defence-in-depth (layering of security mechanisms, redundancy, fail-safe defence processes) is the best way to ensure safety from APTs, including a focus on both network and host-based security. Prevention and detection capabilities should also be in place. Furthermore, all employees should be educated on the risks of spear phishing and how to identify such attempts.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.