1. Home
  2. Software
  3. Clambling

Clambling

Clambling is a modular backdoor written in C++ that has been used by Threat Group-3390 since at least 2017.[1]

ID: S0660
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 12 November 2021
Last Modified: 23 November 2021
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Clambling has the ability to bypass UAC using a passuac.dll file.[1][2]
Enterprise T1071 Application Layer Protocol

Clambling has the ability to use Telnet for communication.[1]
.001 Web Protocols

Clambling has the ability to communicate over HTTP.[1]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Clambling can establish persistence by adding a Registry run key.[1][2]
Enterprise T1115 Clipboard Data

Clambling has the ability to capture and store clipboard data.[1][2]
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

The Clambling dropper can use PowerShell to download the malware.[1]
.003 Command and Scripting Interpreter: Windows Command Shell

Clambling can use cmd.exe for command execution.[1]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Clambling can register itself as a system service to gain persistence.[2]
Enterprise T1005 Data from Local System

Clambling can collect information from a compromised host.[1]
Enterprise T1140 Deobfuscate/Decode Files or Information

Clambling can deobfuscate its payload prior to execution.[1][2]
Enterprise T1567 .002 Exfiltration Over Web Service: Exfiltration to Cloud Storage

Clambling can send files from a victim's machine to Dropbox.[1][2]
Enterprise T1083 File and Directory Discovery

Clambling can browse directories on a compromised host.[1][2]
Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

Clambling has the ability to set its file attributes to hidden.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

Clambling can store a file named mpsvc.dll, which opens a malicious mpsvc.mui file, in the same folder as the legitimate Microsoft executable MsMpEng.exe to gain execution.[1][2]
Enterprise T1056 .001 Input Capture: Keylogging

Clambling can capture keystrokes on a compromised host.[1][2]
Enterprise T1112 Modify Registry

Clambling can set and delete Registry keys.[1]
Enterprise T1135 Network Share Discovery

Clambling has the ability to enumerate network shares.[1]
Enterprise T1095 Non-Application Layer Protocol

Clambling has the ability to use TCP and UDP for communication.[1]
Enterprise T1027 Obfuscated Files or Information

The Clambling executable has been obfuscated when dropped on a compromised host.[1]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Clambling has been delivered to victim's machines through malicious e-mail attachments.[1]
Enterprise T1057 Process Discovery

Clambling can enumerate processes on a targeted system.[1]
Enterprise T1055 Process Injection

Clambling can inject into the svchost.exe process for execution.[1]
.012 Process Hollowing

Clambling can execute binaries through process hollowing.[1]
Enterprise T1012 Query Registry

Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\Software\Bitcoin\Bitcoin-Qt\strDataDir to search for a bitcoin wallet.[1][2]
Enterprise T1113 Screen Capture

Clambling has the ability to capture screenshots.[1]
Enterprise T1082 System Information Discovery

Clambling can discover the hostname, computer name, and Windows version of a targeted machine.[1][2]
Enterprise T1016 System Network Configuration Discovery

Clambling can enumerate the IP address of a compromised machine.[1][2]
Enterprise T1033 System Owner/User Discovery

Clambling can identify the username on a compromised host.[1][2]
Enterprise T1569 .002 System Services: Service Execution

Clambling can create and start services on a compromised host.[1]
Enterprise T1124 System Time Discovery

Clambling can determine the current time.[1]
Enterprise T1204 .002 User Execution: Malicious File

Clambling has gained execution through luring victims into opening malicious files.[1]
Enterprise T1125 Video Capture

Clambling can record screen content in AVI format.[1][2]
Enterprise T1497 .003 Virtualization/Sandbox Evasion: Time Based Evasion

Clambling can wait 30 minutes before initiating contact with C2.[1]
Enterprise T1102 .002 Web Service: Bidirectional Communication

Clambling can use Dropbox to download malicious payloads, send commands, and receive information.[1][2]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[1][3][4]

References

  1. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  2. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  1. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.