WhiteShadow
The WhiteShadow threat appears to be what is often referred to as malware-as-a-service because instead of using it privately, its creators have decided to rent it out to potential clients. The WhiteShadow, in its essence, is a Trojan downloader, and most of its activity in 2019 involved delivering the infamous Crimson RAT to targeted systems. However, the WhiteShadow is capable of delivering a wide range of other malware to infected hosts , which includes Remcos, Agent Tesla, Formbook, njRAT and others.
Propagation Via Microsoft Office Attachments
The operators of the WhiteShadow downloader appear to be using spam email campaigns mainly to propagate this threat. Microsoft Office attachments containing corrupted macro-scripts seem to be the main infection vector employed in the spreading of the WhiteShadow malware. To get the user to allow the macro-scripts to be executed once the victim opens the attachment, the attackers tend to use various social engineering methods. If you fall for the deception of the WhiteShadow downloader operators, you may end up in a fair bit of trouble.
Uses an MSSQL Server
The WhiteShadow threat has some basic capabilities when it comes to detecting and avoiding sandbox environments. Its obfuscation techniques are not too impressive either. However, the WhiteShadow downloader, unlike most threats of this type, does not download its binary from a remote server set up by its operators. Instead, this cunning piece of malware establishes a connection with a Microsoft SQL database server from which it extracts an encrypted string by sending an SQL query. Next, the WhiteShadow threat would decrypt the string and archive it in a ‘.PKZip’ file. Then, the archived file is launched, and the threatening payload begins installing on the compromised host.
The WhiteShadow Trojan downloader can prove to be a rather nasty pest as it is likely to be rented out and spread by a variety of con artists worldwide. To reduce the risk of becoming a victim of the WhiteShadow downloader, make sure you update all your software regularly and have installed a legitimate anti-malware application.
