Ransomware to Turns 27APT
2020 December
Team Intelligence ,Center Threat Global
Published
CENTER EAT TH

involving incident an to responded Profero and Joes Security ,year this Earlier
extensive an After .servers core several of encryption the and ransomware
a to linked malware of samples discover to able was team our ,investigation
1TrendMicro by on reported campaign
both to links with ,DRBControl as known ,
attacks around revolves campaign particular This .Winnti and 27APT :groups APT
.worldwide ,companies gaming major on
Technologies Jump-Talent and TrendMicro by on reported first was DRBControl
July in back to responded they incident an covered and 2020 of beginning the at
a as Dropbox of utilization its was backdoor this about interesting was What 2019.
sample similar very a discovered team Our .server) 2C (Control and Command
sample the however ,Clambling of variant a as identify to able were we that
older an considered be could it ,result a As .capabilities Dropbox any lacked
.cases use different for variants different have actors threat the that or; variant
sample a ,webshell ASPXSpy the located we ,backdoor discovered the Alongside
service party rd3 a through was vector infection initial The .Mimikatz and ,PlugX of
service party rd3 another through infected previously been had that ,provider
.provider
20 of 2 page 2020 Copyright
Forward

extremely are there ,chain infection specific this behind is who to regards With
.TTPs and ,similarities code of terms in ,Panda Emissary27/APT to links strong
on focused ,group APT Chinese sponsored-state a be to believed is 27APT
this in out stood What .data and information of theft and cyberespionage
drive a is which ,BitLocker using servers core of encryption the was incident
many in as ,interesting particularly was This .Windows into built tool encryption
local use than rather ,machines the to ransomware drop will actors threat cases
so and ,gain financial on focused necessarily not was 27APT ,Previously .tools
incident this however ,unusual highly is tactics actor ransomware employing
lockdowns with ,China across rampant was -19COVID where time a at occurred
be not would focus financial a to switch a therefore and ,place into put being
which 2,PTSecurity by released was report a ,report this writing Upon .surprising
to dropped was ransomware Polar the where 27APT to linked incident an covered
.focused financially more become has 27APT belief our validating ,systems
20 of 3 page 2020 Copyright
gain financial on efforts refocus APT Chinese

company the onto foothold a gained actors threat the ,previously mentioned As
also was webshell ASPXSpy An .compromise party rd3 a through systems
.movement lateral in assist to ,deployed
Google a using memory into loaded both were samples Clambling and PlugX The
,samples two the of each For .Loading-Side DLL to vulnerable executable Updater
consisting file binary a and ,DLL malicious a ,executable legitimate a was there
in it running and itself from payload the extracting for responsible shellcode of
were DLLs both and ,Updater Google signed the used samples Both .memory
the and ,rtf.license named was file binary PlugX the however ,dll.goopdate labeled
.rtf.English named was file binary Clambling
that ,machine infected the on sample Mimikatz generic a discovered also We
.machines the onto it distributing before attackers the by modified not was
by privileges escalating for responsible binary a located we ,Additionally
lines This .available publicly is code source the which for -2017-0213,CVE exploiting
exploit same the of discovery the mentions which ,report TrendMicro the with up
the in privileges escalate to exploit this use to known been has 27APT .used being
.system the to dropped being CryptoMiner a in resulting incident one with; past
financially into turned has 27APT time first the not is this that us shows This
.attackers motivated
2020 Copyright
CHAIN INFECTION
20 of 4 page
Winnti and 27APT between Links

we ,actors threat Chinese among usage PlugX of nature extensive the to Due
to seems it as ,implant Clambling the analysing on efforts our focus to chose
different a discovered we ,Specifically .campaign this to unique somewhat be
RTTI exposed the through initially confirmed ,Backdoor 2 Type the of variant
sample the in class CMuture the of lack the is difference only the – information
.discovered we
execution of flow the ,Loading-Side DLL through memory into loaded being Upon
of content the than rather ,arguments of number the by determined is first at
,arguments of number the queries even program the Before .arguments the
sample the In .registry the to configuration board-on encrypted the writes it
\\Software\\RCS\\Software]\\HKCU/HKLM [to it writes it ,discovered we
will sample the ,registry the to written been has configuration the After .CPanels
.sample the in use later for ,memory in it decrypt
2020 Copyright
ANALYSIS TOOL
20 of 5 page
VFTable - 1 Figure

pathway first The .pathways 4 of total a are there ,parsing argument the Onto
vulnerable Loading-Side DLL the execute and persistence setup will execute to
16. argument the with executable
sample the in result will which ,pathway second the of execution triggers This
.it into itself injecting and 17, argument the with ,exe.msiexec spawning
will this and ,process exe.msiexec the inside execute will 3 pathway ,result a As
an with exe.svchost spawn and ,server 2C the with communications initiate
into itself injecting again once ,identifier process current the on based argument
.process created newly the
involves pathway This .exe.svchost in execute will pathway final and th4 The
and ,process exe.svchost and exe.msiexec the between pipe a up setting
file ,capture screen ,keylogger the as such features backdoor main the initializing
exe.svchost the to commands send to attacker the allows pipe This .etc ,manager
.etc ,captures screen ,files log request to ,process
2020 Copyright
sample Code - 2 Figure
20 of 6 page

20 of 7 page 2020 Copyright
- ARGUMENTS OF NUMBER
CONTENT ARGUMENT
NONE – 1
16 – 2
17 – 2
PID – 2
Action
or registry through persistence up Set
16 argument with again spawn and ,services
,server 2C the with communications Initiate
exe.svchost spawned a into itself inject and
PID on based argument with
,process exe.msiexec the with pipe a up Set
functions backdoor main initialize and
17 argument with exe.msiexec into Inject
parsing Argument - 3 Figure
correct the has sample the if services system the through up set is Persistence
has persistence Once .registry the in key Run the utilizes it otherwise ,privileges
argument the with ,itself of instance another spawn will sample the ,up set been
.previously mentioned as 16,

20 of 8 page 2020 Copyright
executable update google ,executable vulnerable a through Persistence - 4 Figure
allocating simply sample the with ,simple fairly is exe.msiexec into injection The
patching and ,memory to itself writing ,process suspended remote the in memory
argument the in passing ,code injected its of point entry the call to point entry the
be will thread main the ,completed been has overwrite the Once 120000.x0
.payload injected malicious the executing ,resumed
process the for allocation Memory - 5 Figure

20 of 9 page 2020 Copyright
a with point entry the overwriting ,similarly operates exe.svchost into injection The
.code malicious the of point entry the to call a and push
will server 2C the with communication ,process exe.msiexec second the Inside
communication main 3 contained analysed we Clambling of sample The .begin
focused we ,investigation the During .HTTP and TCP raw ,UDP raw :protocols
for API WinSock utilized This .primarily protocol TCP the on efforts analysis our
.WSARecv and WSASend including ,communication
injection Process - 6 Figure
execution after up Cleaning - 7 Figure
to received is command a until loop will function linked-communication The
remove will implant the point which at ,machine the from traces any up clean
.itself terminate and files linked any

20 of 10 page 2020 Copyright
second the inside attacker an to available commands several are There
the as such information system gathering include These .process exe.msiexec
operating the and) .etc ,privileges administrator ,privileges user (privileges current
cleaning and ,implant current the updating/dropping ,information version system
functionality up-clean The .machine infected the from malware the of traces any
as ,keys registry added any remove ,machine the to files dropped any remove will
.privileges administrator with running was it if services as well
methods Communication - 8 Figure

20 of 11 page 2020 Copyright
modular extremely still is it ,server 2C a as Dropbox utilize not does it While
infected an to malware of samples additional drop to attacker the allows and
executing as such – shell reverse a through commands execute or machine
overlaps code some definitely are There .servers core encrypt to BitLocker
a be to seems what of usage the as such ,PlugX and Clambling between
20160101.x0 :server 2C the from and to sent packets the in identifier campaign
indicate could which ,samples PlugX in seen be can structure same This
while tool access remote PlugX the from code source used developers the
particular this behind actors the like seems it ,Additionally .Clambling developing
new fairly a is it as ,tools their reworking and updating constantly are strain
.tool specific a of variants different several are there yet campaign
COMMAND
101X0
103X0
104X0
106X0
107X0
108X0
FUNCTION
Information System Gather
2C the to string byte 32 a Send :Unknown
the on malware the of traces up Clean
machine infected
additional drop/update to attacker Allow
DLL via memory into loaded be to malware
Loading-Side
,it encrypt ,configuration the in value a Update
registry the in it store and
initiate or protocol communication Change
exe.svchost with communication pipe

20 of 12 page 2020 Copyright
to linked groups possible 2 were there ,report TrendMicro the through Reading
campaign the to linked was 27APT .Winnti and 27APT .campaign DRBControl the
is HyperBro .incidents the of one in backdoor HyperBro the of usage the to due
tool shared commonly a than rather 27,APT to unique be to considered typically
or ,campaign the for responsible is 27APT that indicate could This .PlugX as such
.groups cybercrime other with tools share to beginning are they that
,mutexes similar on based ,campaign the to link stronger much a had Winnti
exploitation post The .attackers the by run commands exploitation post the and
address IP an to out reached which ,call bitsadmin a included commands
allows that tool Windows another is bitsadmin .infrastructure Winnti to linked
Winnti ,Additionally .files remote download to used be can and transfers file for
to that from switch the so ,companies gaming computer target to known are
who 27,APT to compared - believe to farfetched too not is companies gambling
.more and ,sectors defence ,organisations government target commonly
older and ,sample Clambling our between similarities found we ,analysis our In
of number the using of method the ,specifically; implants 27APT confirmed
with Loading-Side DLL of usage the and ,functions different execute to arguments
to enough not was this ,Unfortunately .file separate a in stored payload main the
not did we as and ,campaign this behind was 27APT that hypothesis the confirm
possibility the on focus to decided we ,HyperBro as such samples other any have
.link Winnti a of
ACTORS THREAT TO LINKS

20 of 13 page 2020 Copyright
Clambling our and samples Winnti between overlap code for searching After
place took that incident an on 54Command by report a discovered we ,sample
.company tech Korean South a ,Communications SK targeted that 2011, in back
records million 35 to up of information personal of theft the involved incident The
5.ESTSoft to belonging server party-third a of hijacking the to due occurred and
,software archive s’ESTSoft to updates automatic provided question in server The
Communications SK to update an provided ,attackers by hijacked when and
through Loading-Side DLL perform to attacker an enable would that systems
implants Clambling the of one ,Interestingly .software archive legitimate the
Chinese a ,HaoZip of copy patched a involved TrendMicro by discovered
.WinZIP and WinRAR to alternative
reports previous and findings our between Relations

20 of 14 page 2020 Copyright
in block configuration the of excerpt an across came and further investigated We
.Communications SK infiltrate to used sample main the
configuration this between similarities discovered we ,link weak a is it While
could link This .backdoor Clambling the in block configuration the and block
The .samples two the between reuse structure configuration possible indicate
the of storage the in lie blocks configuration 2 the between similarities main
and stamp time potential a of use the as well as ,address IP the before just port
SK the from block configuration the of image an see can you Above .value timer
Clambling the from excerpt an see can you below and ,hack Communications
.block configuration
incident Communication SK from block Configuration – 9 Figure
configuration Clambling - 10 Figure

20 of 15 page 2020 Copyright
incident Communications SK the investigated we ,link this discovering After
6Intezer to backdoor Clambling the Uploading .further bit a
strong yielded
SK the to links weak very ,interestingly and ,malware of strain PlugX the to links
.sample Communications
mentioned which 7Kaspersky by post blog a discovered we ,there From
SK time same the around Winnti by penetrated been had ESTSoft
compromising for known are Winnti As .hacked were Communications
incident Communications SK the and ,malware signing for certificates
believe to farfetched not is it ,update malicious signed a to due occurred
turn in which ,Communications SK of breach the for responsible were Winnti
there While .backdoor Clambling the behind being Winnti towards hint could
this in occurring obfuscation API or encryption string much as not is certainly
of terms in similar very are configurations the that odd is it ,backdoor new
it hopes in ,regardless point this share to decided we therefore and ,structure
.research further to lead can
structure Configuration - 12 Figure Structure Configuration SK - 11 Figure

20 of 16 page 2020 Copyright
,incident our of analysis our during discovered we links the all Combining
,backdoor Clambling the behind is Winnti that question the of out not is it
in target The .umbrella Winnti the under operating group-sub a least at or
target to known is Winnti however 27,APT for target common a not is question
The 8.companies development game video as such companies niche more
be can that 2011 in back incident an to links has itself block configuration
company the infiltrated had they fact the and TTPs through Winnti to linked
Communications SK onto dropped and altered software their had which
Winnti the at looking ,Additionally .compromise the in resulting systems
even is it ,report their in identify to able were TrendMicro overlap infrastructure
.clearer
of number small the on Based .do to simple not is attribution ,However
.point this at speculate to able only are we ,incident the in found we samples
bypass UAC two and ,Clambling ,MimiKatz ,PlugX of sample a from Aside
terms in on go to more much have not did we ,attackers the by used exploits
help can we ,research our sharing by hope We .tools Exploitation Post of
have may they links any and ,group particular this on research more generate
.old and new both ,campaigns other to

20 of 17 page 2020 Copyright
pdf.DRBcontrol-uncovering-wp/papers_white/assets/com.trendmicro.documents://https 1.
/intelligence-threat-esc-pt/analytics/en-ww/com.ptsecurity.www://https 2.
27/apt-ransomware-polar-response-incident
20808=p?/com.computing7k.labs://https 3.
/uploads/content-wp/com.kasperskycontenthub.media://https 4.
pdf.SKHack_APT_5C/43/2013/04/20082912/sites
/com.estsoftinc.www://http 5.
9-c4b-ba2-43a-70bc3ba4be/analyses/com.intezer.analyze://https 6.
9c8fde0818f1
/57585/game-a-just-than-more-faq-winnti/com.securelist://https 7.
0044/G/groups/org.mitre.attack://https 8.
REFERENCES

20 of 18 page 2020 Copyright
IOCs
TYPE
Binaries
s2C
SIGNED LEGITIMATE
GOOGLEUPDATE
MALICIOUS SIDELOADED
DLL.GOOPDATE
CLAMBLING ENCRYPTED
PAYLOAD
PLUGX ENCRYPTED
PAYLOAD
(5MD (HASH FILE NAME FILE
,exe.GoogleUpdate
exe.debug
com].[888666kkxx.www://http
com].[520betwln.www://http
dll.goopdate
rtf.English
rtf.license
566889837d4143308f75947137a44b1e
1d8143098a9b5cee7dacf94cf0c33b36
a3bb12a1f0b2aec32ad57204efa4164c
3ba61604758b8a55f9a45915e8e7f4aa
47a34aa4dac4f07d2925d792b03fa878

20 of 19 page 2020 Copyright
Rules YARA
} backdoor_clambling rule
:meta 
"SecurityJoes | Bunce Daniel = "author 
and Strings through Backdoor Clambling Detect = "description 
"Algorithm Encryption Keylogger
:strings 
wide" s% | s% | s% ] |d-%02d-%02d%04 d:%02d:%02d%02 = "[0str$ 
wide " s% | s%] | d:%02d:%02d%02 d-%02d-%02d%04 | [s% = "1str$ 
wide" log.\\*s% = "2str$ 
"GetRawInputData = "3str$ 
"RegisterRawInputDevices = "4str$ 
"WTSEnumerateSessionsW = "5str$ 
"CreateEnvironmentBlock = "6str$ 
"abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ = "7str$ 
wide" Run\\CurrentVersion\\Windows\\Microsoft\\Software = "8str$ 
nocase" PortMap = "1rtti$ 
nocase" KeyLog = "2rtti$ 
nocase" Telnet = "3rtti$ 
nocase" Screen = "4rtti$ 
nocase" Shell = "5rtti$ 
nocase" FileManager = "6rtti$ 
nocase" Plugin = "7rtti$ 
([xFF\0-xC([\80x)\.])(xFF\0-xC([\80x)\.])(xFF\0-xC([\80x\/ = 1re$ 
/(.)
:condition 
1re$ and*) rtti$ (of any and*) str$ (of 3 and D4A5x0) == 0(16uint 
{
:at available publicly are rules YARA Our
yara/SecurityJoes-Profero/com.github://https

20 of 20 page 2020 Copyright
| Ransomware to Turns 27APT
2020 December
Team Intelligence ,Center Threat Global
to out reach please information additional For
com.securityjoes@contact io.profero@contact
R