Whitefly threat actor group linked to the massive SingHealth data breach from 2018

• Whitefly cybercriminal group has been active since at least 2017.
• Its target includes organizations in the telecommunications, healthcare, engineering and media sectors.

New details regarding the massive data breach that occurred at Singapore’s SingHealth and resulted in the theft of 1.5 million patient records have emerged recently. Whitefly, a previously unknown threat actor group has been held responsible for the attack.

The big picture - In a detailed reported, Symantec identified that Whitefly threat actor group was behind the attack on Singapore’s healthcare organization SingHealth. The attack occurred in July 2018.

Whitefly cybercriminal group has been active since at least 2017 and its target includes organizations in the telecommunications, healthcare, engineering and media sectors. Most of these companies are based in Singapore. It is primarily interested in stealing a large amount of sensitive information.

How did they operate - Whitefly compromises their victims using both custom malware and open-source hacking tools. It also uses living off the land tactics, such as malicious Powershell scripts to launch its attack.

The general infection process of Whitefly is initiated by using a dropper that arrives in the form of malicious .exe or .dll files. In order to evade suspicion, these files are distributed as documents or images and purport to offer information on job openings.

Once the dropper is opened, it runs a loader known as Trojan.Vcrodat on the computer.

“Whitefly has consistently used a technique known as search order hijacking to run Vcrodat. This technique takes advantage of the fact that Windows does not require an application to provide a specific path for a DLL that it wishes to load,” Symantec explained.

The group leverages search order hijacking to assure that its malicious DLLs will be executed. Targeting security applications could allow the attackers to gain higher privileges for the malware, since the vendor’s component may be run with elevated privileges.

Once the Vcrodat trojan is launched, it loads an encrypted payload on victims’ computers. The payload contacts a C2 domain in order to download additional tools.

Whitefly usually attempts to remain within a targeted organization for long periods of time—often months—in order to steal large volumes of information. It keeps the compromise alive by deploying a number of tools that facilitate communication between the attackers and infected computers.

Additional malware used in selected attacks - In some attacks, Whitefly threat actor group has used another custom malware named Trojan.Nibatad. Like Vcrodat, Nibatad is also a loader that leverages search order hijacking. It downloads an encrypted payload on to the infected computers and facilitates the attackers to conduct information theft.

Whitefly currently appears to focus on targeting organizations in Singapore. However, its tactics, techniques, and procedures are similar to those used by several other threat actor groups.