SYMBOLCOMMON_NAMEaka. SYNONYMS
win.clambling (Back to overview)

Clambling


Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

References
2021-01-04ProferoProfero, SecurityJoes
@techreport{profero:20210104:apt27:a281786, author = {Profero and SecurityJoes}, title = {{APT27 Turns to Ransomware}}, date = {2021-01-04}, institution = {Profero}, url = {https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf}, language = {English}, urldate = {2021-01-10} } APT27 Turns to Ransomware
Clambling
2021-01-04Bleeping ComputerIonut Ilascu
@online{ilascu:20210104:chinas:9677dc6, author = {Ionut Ilascu}, title = {{China's APT hackers move to ransomware attacks}}, date = {2021-01-04}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/}, language = {English}, urldate = {2021-01-11} } China's APT hackers move to ransomware attacks
Clambling PlugX
2020-02-18Trend MicroDaniel Lunghi, Cedric Pernet, Kenney Lu, Jamz Yaneza
@techreport{lunghi:20200218:uncovering:d96f725, author = {Daniel Lunghi and Cedric Pernet and Kenney Lu and Jamz Yaneza}, title = {{Uncovering DRBControl}}, date = {2020-02-18}, institution = {Trend Micro}, url = {https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf}, language = {English}, urldate = {2020-04-01} } Uncovering DRBControl
Clambling
Yara Rules
[TLP:WHITE] win_clambling_auto (20210616 | Detects win.clambling.)
rule win_clambling_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.clambling."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { b940000000 ff15???????? 448b8c24a0000000 488b8c24b0000000 }
            // n = 4, score = 300
            //   b940000000           | dec                 ecx
            //   ff15????????         |                     
            //   448b8c24a0000000     | cmp                 dword ptr [esp], eax
            //   488b8c24b0000000     | je                  0x1902

        $sequence_1 = { 4c8d442430 33d2 c744243001000000 c744243c02000000 ff15???????? 85c0 7508 }
            // n = 7, score = 300
            //   4c8d442430           | dec                 eax
            //   33d2                 | mov                 ecx, ebp
            //   c744243001000000     | cmp                 edi, 0x23f0
            //   c744243c02000000     | dec                 esp
            //   ff15????????         |                     
            //   85c0                 | lea                 eax, dword ptr [0x172c7]
            //   7508                 | inc                 cx

        $sequence_2 = { 483bcf 740b ff15???????? 48897c2450 488b4c2458 }
            // n = 5, score = 300
            //   483bcf               | mov                 ecx, 0x3000
            //   740b                 | mov                 ebx, eax
            //   ff15????????         |                     
            //   48897c2450           | dec                 eax
            //   488b4c2458           | mov                 ecx, dword ptr [edi + 0x80]

        $sequence_3 = { 3bfd 7ce0 668b5c2430 8b742438 4c8b7c2448 }
            // n = 5, score = 300
            //   3bfd                 | je                  0x57a
            //   7ce0                 | inc                 edi
            //   668b5c2430           | inc                 esp
            //   8b742438             | add                 esp, ebp
            //   4c8b7c2448           | cmp                 edi, esi

        $sequence_4 = { 89742428 89742420 ff15???????? 3bc6 7417 488b542470 488b8c24a8010000 }
            // n = 7, score = 300
            //   89742428             | jb                  0xa21
            //   89742420             | dec                 eax
            //   ff15????????         |                     
            //   3bc6                 | lea                 ecx, dword ptr [esp + 0x150]
            //   7417                 | test                eax, eax
            //   488b542470           | cmp                 dword ptr [esp + 0x28], 4
            //   488b8c24a8010000     | jne                 0xa11

        $sequence_5 = { 488bcf e8???????? 4c8d9c2480100000 8bc3 }
            // n = 4, score = 300
            //   488bcf               | xor                 esi, esi
            //   e8????????           |                     
            //   4c8d9c2480100000     | dec                 eax
            //   8bc3                 | mov                 ebx, ecx

        $sequence_6 = { 7414 83f803 7508 c70701000000 eb13 bb4f050000 eb0c }
            // n = 7, score = 300
            //   7414                 | mov                 ebx, eax
            //   83f803               | inc                 ecx
            //   7508                 | cmp                 eax, ebp
            //   c70701000000         | mov                 word ptr [esi], ax
            //   eb13                 | mov                 word ptr [esi + 2], bx
            //   bb4f050000           | mov                 word ptr [esi + 4], bx
            //   eb0c                 | mov                 ebx, eax

        $sequence_7 = { ff15???????? 8bd8 488b4c2460 483bce 7410 }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   8bd8                 | dec                 eax
            //   488b4c2460           | mov                 ecx, dword ptr [ecx + 0x40]
            //   483bce               | dec                 eax
            //   7410                 | test                ecx, ecx

        $sequence_8 = { ff15???????? 493bdc 7409 488bcb ff15???????? }
            // n = 5, score = 300
            //   ff15????????         |                     
            //   493bdc               | mov                 esi, dword ptr [ecx]
            //   7409                 | test                ebx, ebx
            //   488bcb               | dec                 eax
            //   ff15????????         |                     

        $sequence_9 = { 48897c2420 ff15???????? 488b4c2450 8bd8 ff15???????? }
            // n = 5, score = 300
            //   48897c2420           | dec                 eax
            //   ff15????????         |                     
            //   488b4c2450           | lea                 ecx, dword ptr [esp + 0x120]
            //   8bd8                 | mov                 edx, 0x104
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 412672
}
Download all Yara Rules