Clambling
Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Clambling can collect information from a compromised host.[1] |
|
| Enterprise | T1112 | 修改注册表 | ||
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
Clambling can register itself as a system service to gain persistence.[2] |
| Enterprise | T1115 | 剪贴板数据 |
Clambling has the ability to capture and store clipboard data.[1][2] |
|
| Enterprise | T1574 | .002 | 劫持执行流: DLL Side-Loading |
Clambling can store a file named |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Clambling can deobfuscate its payload prior to execution.[1][2] |
|
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Clambling can establish persistence by adding a Registry run key.[1][2] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
The Clambling dropper can use PowerShell to download the malware.[1] |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | 应用层协议 |
Clambling has the ability to use Telnet for communication.[1] |
|
| .001 | Web Protocols | |||
| Enterprise | T1083 | 文件和目录发现 |
Clambling can browse directories on a compromised host.[1][2] |
|
| Enterprise | T1012 | 查询注册表 |
Clambling has the ability to enumerate Registry keys, including |
|
| Enterprise | T1027 | 混淆文件或信息 |
The Clambling executable has been obfuscated when dropped on a compromised host.[1] |
|
| Enterprise | T1548 | .002 | 滥用权限提升控制机制: Bypass User Account Control |
Clambling has the ability to bypass UAC using a |
| Enterprise | T1204 | .002 | 用户执行: Malicious File |
Clambling has gained execution through luring victims into opening malicious files.[1] |
| Enterprise | T1082 | 系统信息发现 |
Clambling can discover the hostname, computer name, and Windows version of a targeted machine.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Clambling can identify the username on a compromised host.[1][2] |
|
| Enterprise | T1124 | 系统时间发现 | ||
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Clambling can create and start services on a compromised host.[1] |
| Enterprise | T1016 | 系统网络配置发现 |
Clambling can enumerate the IP address of a compromised machine.[1][2] |
|
| Enterprise | T1135 | 网络共享发现 | ||
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
Clambling can use Dropbox to download malicious payloads, send commands, and receive information.[1][2] |
| Enterprise | T1497 | .003 | 虚拟化/沙盒规避: Time Based Evasion |
Clambling can wait 30 minutes before initiating contact with C2.[1] |
| Enterprise | T1125 | 视频捕获 | ||
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
Clambling can capture keystrokes on a compromised host.[1][2] |
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1055 | 进程注入 |
Clambling can inject into the |
|
| .012 | Process Hollowing |
Clambling can execute binaries through process hollowing.[1] |
||
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage |
Clambling can send files from a victim's machine to Dropbox.[1][2] |
| Enterprise | T1566 | .001 | 钓鱼: Spearphishing Attachment |
Clambling has been delivered to victim's machines through malicious e-mail attachments.[1] |
| Enterprise | T1564 | .001 | 隐藏伪装: Hidden Files and Directories |
Clambling has the ability to set its file attributes to hidden.[1] |
| Enterprise | T1095 | 非应用层协议 |
Clambling has the ability to use TCP and UDP for communication.[1] |
|
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0027 | Threat Group-3390 |