Once the initial computer on the targeted organization’s network is infected with Vcrodat, Whitefly begins mapping the network and infecting further computers. In order to carry out this operation, it uses publicly available tools, including Mimikatz (Hacktool.Mimikatz) and an open-source tool (SHA2: 263dc5a8121d20403beeeea452b6f33d51d41c6842d9d19919def1f1cb13226c) that exploits a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers. The attackers rely heavily on tools such as Mimikatz to obtain credentials. Using these credentials, the attackers are able to compromise more machines on the network and, from those machines, again obtain more credentials. They perform this tactic repeatedly until they gain access to the desired data.

Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers. These tools include a simple remote shell tool that will call back to the C&C server and wait for commands, and an open-source hacking tool called Termite (Hacktool.Rootkit), which allows Whitefly to perform more complex actions such as controlling multiple compromised machines at a time.

Additional malware used in selected attacks

In some attacks, Whitefly has used a second piece of custom malware, Trojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking, and downloads an encrypted payload to the infected computer. And similar to Vcrodat, the Nibatad payload is designed to facilitate information theft from an infected computer.

While Vcrodat is delivered via the malicious dropper, we have yet to discover how Nibatad is delivered to the infected computer. Why Whitefly uses these two different loaders in some of its attacks remains unknown. And while we have found both Vcrodat and Nibatad inside individual victim organizations, we have not found any evidence of them being used simultaneously on a single computer.

Links to other attacks

Some of the tools that Whitefly has used in its attacks have also been deployed in other targeted attacks outside Singapore.

Between May 2017 and December 2018, a multi-purpose command tool (SHA2: 7de8b8b314f2d2fb54f8f8ad4bba435e8fc58b894b1680e5028c90c0a524ccd9) that has been used by Whitefly was also used in attacks against defense, telecoms, and energy targets in Southeast Asia and Russia. The tool appears to be custom-built and, aside from its use by Whitefly, these were the only other attacks where Symantec has observed its use.

In another case, Vcrodat was also used in an attack on a UK-based organization in the hospitality sector.

It's possible Whitefly itself performed these attacks but it’s more likely that they were carried out by one or more other groups with access to the same tools.

Adept attackers with a large toolset

It now appears that the SingHealth breach was not a one-off attack and was instead part of a wider pattern of attacks against organizations in the region. Whitefly is a highly adept group with a large arsenal of tools at its disposal, capable of penetrating targeted organizations and maintaining a long-term presence on their networks. Links with attacks in other regions also present the possibility that it may be part of a broader intelligence gathering operation.

Protection/Mitigation

Symantec has the following protection in place to protect customers against these attacks:

File-based protection

Indicators of Compromise