Another malware downloader named “WhiteShadow” that misuses Microsoft SQL questions to drop pernicious payloads on contaminated gadgets has developed on the digital danger scene. White Shadow spreads by means of malware spam assaults that convey messages joined with vindictive Microsoft Word and Excel reports or containing a URL. These records are inserted with malevolent Visual Basic macros packaged with the downloaded, which, when empowered, builds up an association Microsoft OLE DB Provider for SQL Server (SQLOLEDB).White shadow at that point download and introduce the last malignant payloads. The accompanying malignant payloads are dropped on the unfortunate casualty frameworks from the aggressor controlled MS SQL Servers by the White Shadow down loader:-
· Crimson – This is the most delivered payload.
· Orion Logger
- Monitor Connection attempts towards the listed domains /IPs. The list may include compromised domains /IP resources as well. Blocking the domains/IPs is solely the recipient responsibility after diligently verifying them without impacting the operations.
- Deploy web and email filters on the network. Configure these devices to scan for known bad domains, sources, and addresses; block these before receiving and downloading messages. Scan all emails, attachments, and
- downloads both on the host and at the mail gateway with a reputable antivirus solution.
- Enforce application whitelisting on all endpoint workstations. This will prevent droppers or unauthorized software from gaining execution on endpoints.
- Restrict execution of Power shell /WSCRIPT in enterprise environment. Ensure installation and use of the latest version (currently v5.0) of PowerShell, with enhanced logging enabled script block logging and transcription enabled. Send the associated logs to a centralized log repository for monitoring and analysis.
- Maintain up-to-date antivirus signatures and engines.
- Keep operating system patches up-to-date.
- Use Loki or IOCFinder tool to scan workstation [https://github.com/Neo23x0/Loki]