Researchers in Symantec found a new cyber espionage group called Whitefly which they claim to be responsible for a string of cyber attacks that targets Singapore-based organizations that included the trending SingHealth data breach.
The researchers believe that the espionage group has been active in the region since 2017. The company is said to target multi-national organizations with a presence in the city-state. The largest data breach in Singapore's history, SingHealth, was publicized in July 2018. The identity of those responsible for the breach saw 1.5 million patient records.
Symantec said that the new group's main goal is to steal a large amount of sensitive information, targeting Singapore. The group employs custom malware, open-source hacking tools and living off the land tactics including the malicious PowerShell scripts in performing the espionage.
The groups target mainly the organizations in the healthcare, media, telecommunications, and engineering. The group infects the IT system of the company first by infecting them with a "dropper" in the form of a malicious .exe or .dll file that are disguised as a document or image. The files are usually in the form of a job opening information offers or documents sent from another organization that operates in the same industry as the victim.
The malicious files are sent to the victim through emails. The system will be infected with a malware known as Trojan.Vcrodat as soon as they open the file. The malware remains in the system for long periods of time undetected as they steal large volumes of information.
Symantec said that it does this by deploying a number of tools that facilitate communication between the attackers and infected computers. A simple remote shell tool is included to call back to the C&C server and wait for commands. Termite, an open-source hacking tool, allows Whitefly to perform more complex actions like controlling multiple compromised machines at a time.
The second piece of malware, known as Trojan.Nibatad, is also used in some attacks. The malware acts as a loader that leverages search order hijacking and downloads an encrypted payload to the infected computer. The malware works similarly with Vcrodat and it is also similarly designed to facilitate information theft from an infected computer.
Symantec is unable to determine how Nibatad is delivered to the infected system, unlike Vcrodat which is delivered through a malicious dropper. The company also failed to find evidence that the two malware have been used simultaneously on a single computer.
