S0660 Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.1
| Item | Value |
|---|---|
| ID | S0660 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 12 November 2021 |
| Last Modified | 23 November 2021 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1548 | Abuse Elevation Control Mechanism | - |
| enterprise | T1548.002 | Bypass User Account Control | Clambling has the ability to bypass UAC using a passuac.dll file.12 |
| enterprise | T1071 | Application Layer Protocol | Clambling has the ability to use Telnet for communication.1 |
| enterprise | T1071.001 | Web Protocols | Clambling has the ability to communicate over HTTP.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Clambling can establish persistence by adding a Registry run key.12 |
| enterprise | T1115 | Clipboard Data | Clambling has the ability to capture and store clipboard data.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | The Clambling dropper can use PowerShell to download the malware.1 |
| enterprise | T1059.003 | Windows Command Shell | Clambling can use cmd.exe for command execution.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Clambling can register itself as a system service to gain persistence.2 |
| enterprise | T1005 | Data from Local System | Clambling can collect information from a compromised host.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Clambling can deobfuscate its payload prior to execution.12 |
| enterprise | T1567 | Exfiltration Over Web Service | - |
| enterprise | T1567.002 | Exfiltration to Cloud Storage | Clambling can send files from a victim’s machine to Dropbox.12 |
| enterprise | T1083 | File and Directory Discovery | Clambling can browse directories on a compromised host.12 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | Clambling has the ability to set its file attributes to hidden.1 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.002 | DLL Side-Loading | Clambling can store a file named mpsvc.dll, which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.12 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Clambling can capture keystrokes on a compromised host.12 |
| enterprise | T1112 | Modify Registry | Clambling can set and delete Registry keys.1 |
| enterprise | T1135 | Network Share Discovery | Clambling has the ability to enumerate network shares.1 |
| enterprise | T1095 | Non-Application Layer Protocol | Clambling has the ability to use TCP and UDP for communication.1 |
| enterprise | T1027 | Obfuscated Files or Information | The Clambling executable has been obfuscated when dropped on a compromised host.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Clambling has been delivered to victim’s machines through malicious e-mail attachments.1 |
| enterprise | T1057 | Process Discovery | Clambling can enumerate processes on a targeted system.1 |
| enterprise | T1055 | Process Injection | Clambling can inject into the svchost.exe process for execution.1 |
| enterprise | T1055.012 | Process Hollowing | Clambling can execute binaries through process hollowing.1 |
| enterprise | T1012 | Query Registry | Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.12 |
| enterprise | T1113 | Screen Capture | Clambling has the ability to capture screenshots.1 |
| enterprise | T1082 | System Information Discovery | Clambling can discover the hostname, computer name, and Windows version of a targeted machine.12 |
| enterprise | T1016 | System Network Configuration Discovery | Clambling can enumerate the IP address of a compromised machine.12 |
| enterprise | T1033 | System Owner/User Discovery | Clambling can identify the username on a compromised host.12 |
| enterprise | T1569 | System Services | - |
| enterprise | T1569.002 | Service Execution | Clambling can create and start services on a compromised host.1 |
| enterprise | T1124 | System Time Discovery | Clambling can determine the current time.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | Clambling has gained execution through luring victims into opening malicious files.1 |
| enterprise | T1125 | Video Capture | Clambling can record screen content in AVI format.12 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.003 | Time Based Evasion | Clambling can wait 30 minutes before initiating contact with C2.1 |
| enterprise | T1102 | Web Service | - |
| enterprise | T1102.002 | Bidirectional Communication | Clambling can use Dropbox to download malicious payloads, send commands, and receive information.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 | 134 |
References
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. ↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩