SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clambling (Back to overview)

Clambling


Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

References
2021-01-04ProferoProfero, SecurityJoes
@techreport{profero:20210104:apt27:a281786, author = {Profero and SecurityJoes}, title = {{APT27 Turns to Ransomware}}, date = {2021-01-04}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf}, language = {English}, urldate = {2021-01-10} } APT27 Turns to Ransomware
Clambling
2021-01-04Bleeping ComputerIonut Ilascu
@online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } China's APT hackers move to ransomware attacks
Clambling PlugX
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@techreport{lunghi:20200218:uncovering:d96f725, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl}}, date = {2020-02-18}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf}, language = {English}, urldate = {2020-04-01} } Uncovering DRBControl
Clambling
Yara Rules
[TLP:WHITE] win_clambling_auto (20220411 | Detects win.clambling.)
rule win_clambling_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.clambling."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8bd8 488b4c2460 483bce 7410 }
            // n = 4, score = 300
            //   8bd8                 | dec                 esp
            //   488b4c2460           | mov                 eax, ebx
            //   483bce               | jmp                 0x24d
            //   7410                 | dec                 eax

        $sequence_1 = { e8???????? 488d8c24b0000000 ff15???????? 448d6e01 48c7c501000080 03c0 }
            // n = 6, score = 300
            //   e8????????           |                     
            //   488d8c24b0000000     | push                esi
            //   ff15????????         |                     
            //   448d6e01             | inc                 ecx
            //   48c7c501000080       | push                edi
            //   03c0                 | dec                 eax

        $sequence_2 = { 7409 39ac2490020000 740f 488d542420 488bcf e8???????? }
            // n = 6, score = 300
            //   7409                 | mov                 ebx, esi
            //   39ac2490020000       | jmp                 0x12a3
            //   740f                 | dec                 eax
            //   488d542420           | cwde                
            //   488bcf               | mov                 word ptr [esp + eax*2 + 0x22], si
            //   e8????????           |                     

        $sequence_3 = { ff15???????? 33d2 33c9 41b83f000f00 ff15???????? }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   33d2                 | dec                 eax
            //   33c9                 | mov                 ecx, dword ptr [ebx]
            //   41b83f000f00         | dec                 eax
            //   ff15????????         |                     

        $sequence_4 = { 8b442450 83f801 7419 83f802 7414 }
            // n = 5, score = 300
            //   8b442450             | mov                 ebp, edx
            //   83f801               | dec                 eax
            //   7419                 | lea                 ecx, dword ptr [esp + 0x22]
            //   83f802               | inc                 ebp
            //   7414                 | xor                 esi, esi

        $sequence_5 = { 488bc4 53 55 56 57 4155 4883ec70 }
            // n = 7, score = 300
            //   488bc4               | test                eax, eax
            //   53                   | je                  0x1c2d
            //   55                   | dec                 eax
            //   56                   | lea                 ebx, dword ptr [0x962b]
            //   57                   | dec                 eax
            //   4155                 | lea                 edi, dword ptr [0x9624]
            //   4883ec70             | jmp                 0x1c49

        $sequence_6 = { ba01000000 ff15???????? 41bb50000000 b9f5ffffff 418d4314 6644899c2410030000 6689842412030000 }
            // n = 7, score = 300
            //   ba01000000           | mov                 ecx, 0xfa88
            //   ff15????????         |                     
            //   41bb50000000         | xor                 edi, edi
            //   b9f5ffffff           | dec                 eax
            //   418d4314             | mov                 ebx, eax
            //   6644899c2410030000     | dec    eax
            //   6689842412030000     | cmp                 eax, edi

        $sequence_7 = { 488bd6 48897c2420 ff15???????? 488b4c2450 8bd8 }
            // n = 5, score = 300
            //   488bd6               | dec                 eax
            //   48897c2420           | mov                 ebp, dword ptr [esp + 0x60]
            //   ff15????????         |                     
            //   488b4c2450           | dec                 eax
            //   8bd8                 | lea                 edx, dword ptr [0x17731]

        $sequence_8 = { 488d542440 488bce ff15???????? 440fb75c2440 66453bdd 7f0b }
            // n = 6, score = 300
            //   488d542440           | mov                 eax, dword ptr [edi]
            //   488bce               | cmp                 esi, 5
            //   ff15????????         |                     
            //   440fb75c2440         | jge                 0x1fb9
            //   66453bdd             | cmp                 byte ptr [esp + ebx + 0x150], 0x3d
            //   7f0b                 | jne                 0x1fa4

        $sequence_9 = { e9???????? 3bf1 8bf9 7e6d 8b6c2434 4c8bbc24c0000000 }
            // n = 6, score = 300
            //   e9????????           |                     
            //   3bf1                 | inc                 ecx
            //   8bf9                 | push                edi
            //   7e6d                 | dec                 eax
            //   8b6c2434             | sub                 esp, 0x40
            //   4c8bbc24c0000000     | inc                 ecx

    condition:
        7 of them and filesize < 412672
}
Download all Yara Rules