Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.(Citation: Trend Micro DRBControl February 2020)
ID: S0660
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 Nov 2021
Last Modified: 23 Nov 2021

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Clambling has the ability to bypass UAC using a `passuac.dll` file.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Clambling has the ability to communicate over HTTP.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Clambling can establish persistence by adding a Registry run key.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

The Clambling dropper can use PowerShell to download the malware.(Citation: Trend Micro DRBControl February 2020)

.003 Command and Scripting Interpreter: Windows Command Shell

Clambling can use cmd.exe for command execution.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1543 .003 Create or Modify System Process: Windows Service

Clambling can register itself as a system service to gain persistence.(Citation: Talent-Jump Clambling February 2020)

Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Clambling can send files from a victim's machine to Dropbox.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Clambling has the ability to set its file attributes to hidden.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Clambling can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Enterprise T1056 .001 Input Capture: Keylogging

Clambling can capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Clambling has been delivered to victim's machines through malicious e-mail attachments.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1055 .012 Process Injection: Process Hollowing

Clambling can execute binaries through process hollowing.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1569 .002 System Services: Service Execution

Clambling can create and start services on a compromised host.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1204 .002 User Execution: Malicious File

Clambling has gained execution through luring victims into opening malicious files.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Clambling can wait 30 minutes before initiating contact with C2.(Citation: Trend Micro DRBControl February 2020)

Enterprise T1102 .002 Web Service: Bidirectional Communication

Clambling can use Dropbox to download malicious payloads, send commands, and receive information.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

(Citation: Profero APT27 December 2020) (Citation: Trend Micro Iron Tiger April 2021) (Citation: Trend Micro DRBControl February 2020)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.