New Ransomware Spotted: White Rabbit and Its Evasion Tactics

Trend Micro -

New Ransomware Spotted: White Rabbit and Its Evasion Tactics


We analyze the ransomware White Rabbit and bring into focus the familiar evasion tactics employed by this newcomer.

By: Arianne Dela Cruz, Bren Matthew Ebriega, Don Ovid Ladores, Mary Yambao January 18, 2022 Read time:  ( words)

We spotted the new ransomware family White Rabbit discretely making a name for itself by executing an attack on a local US bank in December 2021. This newcomer takes a page from Egregor, a more established ransomware family, in hiding its malicious activity and carries a potential connection to the advanced persistent threat (APT) group FIN8.

Use of a command-line password

One of the most notable aspects of White Rabbit’s attack is how its payload binary requires a specific command-line password to decrypt its internal configuration and proceed with its ransomware routine. This method of hiding malicious activity is a trick that the ransomware family Egregor uses to hide malware techniques from analysis. 

White Rabbit’s payload is inconspicuous at first glance, being a small file of around 100 KB with no notable strings and seemingly no activity. The telltale sign of its malicious origin is the presence of strings for logging, but the actual behavior would not be easily observed without the correct password.

Figure 1. SysTracer showing the command line used to execute the ransomware

Read More: