A previously undisclosed threat actor is targeting nuclear-armed government and military in Pakistan as part of a new, unusually complex espionage campaign, Cylance security researchers warn.
Dubbed “The White Company” by Cylance, the hackers are believed to be a state-sponsored group that has access to zero-day exploits and exploit developers, as well as the resources necessary to evolve, modify, and refine tools and malware.
As part of a year-long, ongoing campaign called Operation Shaheen, The White Company went to unusual lengths to ensure stealth, Cylance says. The actor was able to evade detection from Sophos, ESET, Kasperksy, BitDefender, Avira, Avast!, AVG, and Quick Heal tools.
“In this campaign, we watched them turn eight different antivirus products against their owners. Then, oddly, the White Company instructed their code to voluntarily surrender to detection,” the researchers said.
Not only are checks used to determine whether the malware runs on the proper system, but decoy documents are also used to reduce suspicion, and the malware can also delete itself. The actor used five different obfuscation (packing) techniques, additional system fingerprinting, and compromised or un-attributable infrastructure for command and control (C&C).
The first phase of the campaign employed a relatively dated exploit (for the CVE-2012-0158 vulnerability), publicly available remote access tools (RATs) – either be purchased or freely available -, and external infrastructure for delivery, namely compromised Pakistani websites, including that of Frontier Works Organization (FWO).
Starting in December 2017, the lure documents arrived with the malware embedded and attempted to exploit CVE-2015-1641. Highly obfuscated, the payload in this phase also allowed the threat actor to spy on and steal data from its targets and consisted of two separate stages.
The stage 1 shellcode is simply meant to prepare the system for the stage 2 shellcode, which includes mission-specific functions and which is likely authored by The White Company group themselves.
The exploit includes anti-analysis capabilities, checks whether any of eight specific antivirus products are present on the target machine and attempts to evade them, determines the current date, and drops the malware payload.
When the lure document is opened, the exploit launches a new session of Microsoft Word and displays a decoy document, but deletes itself from the system, so that it would not trigger a second time. The exploit uses the date check and the previously recorded list of antivirus products to stop the antivirus evasion and essentially surrender to each product, sequentially, over a period of six months.
The spying malware dropped in by stage 2 of phase 2 was found to be similar to the RATs delivered in Phase 1. They too were heavily obfuscated versions of publicly available Trojans, also modular in nature. The purpose of the malware was to record keystrokes, steal credentials, access microphone and camera, and access the desktop remotely.
“Once running, the malware in this campaign relied on a set of roughly half a dozen IP addresses that orchestrated so-called command and control. An analysis of those IPs and domains, including historical domain, DNS, and website registration research, provided no significant insight,” Cylance says.
However, given that one of the IP addresses is still active, Operation Shaheen is likely ongoing, the security researchers say. On the other hand, the security firm has not had visibility into the campaign since February 2018.
The threat actor went to great lengths to elude attribution, using tools from different developers and attempting to cover their tracks. However, the researchers believe The White Group hasn’t been previously documented, based on the use of complex shellcode and heavily obfuscated, publicly available malware.