Skip to content

S0660 Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.1

Item Value
ID S0660
Associated Names
Version 1.0
Created 12 November 2021
Last Modified 23 November 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control Clambling has the ability to bypass UAC using a passuac.dll file.12
enterprise T1071 Application Layer Protocol Clambling has the ability to use Telnet for communication.1
enterprise T1071.001 Web Protocols Clambling has the ability to communicate over HTTP.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Clambling can establish persistence by adding a Registry run key.12
enterprise T1115 Clipboard Data Clambling has the ability to capture and store clipboard data.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell The Clambling dropper can use PowerShell to download the malware.1
enterprise T1059.003 Windows Command Shell Clambling can use cmd.exe for command execution.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service Clambling can register itself as a system service to gain persistence.2
enterprise T1005 Data from Local System Clambling can collect information from a compromised host.1
enterprise T1140 Deobfuscate/Decode Files or Information Clambling can deobfuscate its payload prior to execution.12
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Clambling can send files from a victim’s machine to Dropbox.12
enterprise T1083 File and Directory Discovery Clambling can browse directories on a compromised host.12
enterprise T1564 Hide Artifacts -
enterprise T1564.001 Hidden Files and Directories Clambling has the ability to set its file attributes to hidden.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading Clambling can store a file named mpsvc.dll, which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.12
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Clambling can capture keystrokes on a compromised host.12
enterprise T1112 Modify Registry Clambling can set and delete Registry keys.1
enterprise T1135 Network Share Discovery Clambling has the ability to enumerate network shares.1
enterprise T1095 Non-Application Layer Protocol Clambling has the ability to use TCP and UDP for communication.1
enterprise T1027 Obfuscated Files or Information The Clambling executable has been obfuscated when dropped on a compromised host.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Clambling has been delivered to victim’s machines through malicious e-mail attachments.1
enterprise T1057 Process Discovery Clambling can enumerate processes on a targeted system.1
enterprise T1055 Process Injection Clambling can inject into the svchost.exe process for execution.1
enterprise T1055.012 Process Hollowing Clambling can execute binaries through process hollowing.1
enterprise T1012 Query Registry Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.12
enterprise T1113 Screen Capture Clambling has the ability to capture screenshots.1
enterprise T1082 System Information Discovery Clambling can discover the hostname, computer name, and Windows version of a targeted machine.12
enterprise T1016 System Network Configuration Discovery Clambling can enumerate the IP address of a compromised machine.12
enterprise T1033 System Owner/User Discovery Clambling can identify the username on a compromised host.12
enterprise T1569 System Services -
enterprise T1569.002 Service Execution Clambling can create and start services on a compromised host.1
enterprise T1124 System Time Discovery Clambling can determine the current time.1
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Clambling has gained execution through luring victims into opening malicious files.1
enterprise T1125 Video Capture Clambling can record screen content in AVI format.12
enterprise T1497 Virtualization/Sandbox Evasion -
enterprise T1497.003 Time Based Evasion Clambling can wait 30 minutes before initiating contact with C2.1
enterprise T1102 Web Service -
enterprise T1102.002 Bidirectional Communication Clambling can use Dropbox to download malicious payloads, send commands, and receive information.12

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 134