WhiteShadow

WhiteShadow is a Trojan downloader that drops other threats onto the PC, including spyware and backdoor Trojans. It uses SQL servers for its download repositories and may arrive through e-mail phishing lures involving documents. Let your anti-malware utilities uninstall WhiteShadow, if necessary, and monitor e-mail activity and firewall policies for possible weak points.

Using Servers for Evil, Flexibly

Developments in a months-old Trojan's deployment are making it evident that the threat isn't just a tool for a single threat actor, but a mercenary for hire. WhiteShadow is using semi-innovative techniques for providing downloading and installation services for multiple threats, presumably, at the behest of other criminals. While it's innovative reasonably, how WhiteShadow, itself, circulates is cliché – raising the point of the importance of adhering e-mail security protocols.

WhiteShadow is a Trojan downloader whose history includes installing various Trojans and credentials-collecting threats, such as the password collector (which also drops via the AZORult href="/removestopransomware.html" title="Remove STOP Ransomware">STOP Ransomware's family), njRAT, Remcos, and the Crimson Remote Access Trojan. The common theme among these Trojans is either an attack for collecting private information or opening a backdoor, giving a remote attacker the 'keys to the car' for the computer.

WhiteShadow's downloading routine uses SQLOLEDB connectors – part of most Microsoft Office installations – for contacting an MSSQL server that the threat actors either own or control through other means. It saves a string from the server into a PKZip executable, which it launches for installing the second-stage threat automatically. Unauthorized TCP port 1433 activity is a possible symptom of WhiteShadow's illicit downloading activities.

Cutting Back on the Long-Casting Shadows of Trojan Businesses

While SQL server exploitation isn't a fresh innovation to Trojan campaigns, its use is rare sufficiently that malware experts consider it worthy of noting. On the other side, the means that WhiteShadow uses for gaining access to a PC in the first place is far from being original. Its threat actors depend on phishing techniques and are using e-mail messages with convincing content for tricking victims into opening corrupted attachments. WhiteShadow runs after the user enables a series of embedded macros, such as in a Microsoft Word document.

For security reasons, most products that support macros, including Microsoft Office, disable them by default. Workers should understand the importance of recognizing phishing attacks, as well, including ones with personalized content for both the recipient and the industry or organization. Not enabling the macro gives WhiteShadow no purchase for initially compromising the system and delivering its second-stage, whatever that might be.

Windows users can protect themselves additionally by keeping anti-malware services available for removing WhiteShadow, identifying corrupted e-mails or attachments, and keeping a close watch on their downloading habits.

WhiteShadow's deployment isn't reaching large numbers, but 'small,' for a Trojan downloader's business, still encompasses hundreds and thousands of victims. Keeping Trojans from getting footholds on software is far more comfortable than undoing all the problems it causes after it gets inside.