Clambling
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
Clambling has the ability to bypass UAC using a `passuac.dll` file.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Clambling has the ability to communicate over HTTP.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Clambling can establish persistence by adding a Registry run key.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
The Clambling dropper can use PowerShell to download the malware.(Citation: Trend Micro DRBControl February 2020) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Clambling can use cmd.exe for command execution.(Citation: Trend Micro DRBControl February 2020) |
||
| Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
Clambling can register itself as a system service to gain persistence.(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1567 | .002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage |
Clambling can send files from a victim's machine to Dropbox.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
Clambling has the ability to set its file attributes to hidden.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1574 | .002 | Hijack Execution Flow: DLL Side-Loading |
Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Clambling can capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
Clambling has been delivered to victim's machines through malicious e-mail attachments.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Clambling can execute binaries through process hollowing.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Clambling can create and start services on a compromised host.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1204 | .002 | User Execution: Malicious File |
Clambling has gained execution through luring victims into opening malicious files.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1497 | .003 | Virtualization/Sandbox Evasion: Time Based Evasion |
Clambling can wait 30 minutes before initiating contact with C2.(Citation: Trend Micro DRBControl February 2020) |
| Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
Clambling can use Dropbox to download malicious payloads, send commands, and receive information.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 |
(Citation: Trend Micro DRBControl February 2020) (Citation: Profero APT27 December 2020) (Citation: Trend Micro Iron Tiger April 2021) |
References
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.