SYMBOLCOMMON_NAMEaka. SYNONYMS
win.royalcli (Back to overview)

RoyalCli

Actor(s): Mirage


RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:134ec2b, author = {SecureWorks}, title = {{BRONZE PALACE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-palace}, language = {English}, urldate = {2020-05-23} } BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS Mirage
2018-03-16Github (nccgroup)NCC Group PLC
@online{plc:20180316:royal:7ff57f8, author = {NCC Group PLC}, title = {{Royal APT - APT15 Repository}}, date = {2018-03-16}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Royal_APT}, language = {English}, urldate = {2020-01-09} } Royal APT - APT15 Repository
BS2005 MS Exchange Tool RoyalCli Royal DNS Mirage
2018-03-10NCC GroupRob Smallridge
@online{smallridge:20180310:apt15:e5e7ef0, author = {Rob Smallridge}, title = {{APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS}}, date = {2018-03-10}, organization = {NCC Group}, url = {https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/}, language = {English}, urldate = {2021-04-29} } APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
BS2005 MS Exchange Tool RoyalCli Royal DNS Mirage
Yara Rules
[TLP:WHITE] win_royalcli_auto (20220411 | Detects win.royalcli.)
rule win_royalcli_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.royalcli."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8d42e0 3c58 770f 0fbec2 0fbe8030f24000 }
            // n = 5, score = 100
            //   8d42e0               | lea                 eax, dword ptr [edx - 0x20]
            //   3c58                 | cmp                 al, 0x58
            //   770f                 | ja                  0x11
            //   0fbec2               | movsx               eax, dl
            //   0fbe8030f24000       | movsx               eax, byte ptr [eax + 0x40f230]

        $sequence_1 = { 8985b0f9ffff 8d45e8 50 68???????? }
            // n = 4, score = 100
            //   8985b0f9ffff         | mov                 dword ptr [ebp - 0x650], eax
            //   8d45e8               | lea                 eax, dword ptr [ebp - 0x18]
            //   50                   | push                eax
            //   68????????           |                     

        $sequence_2 = { 85c0 742c 8b95e8feffff 8b85ecfeffff }
            // n = 4, score = 100
            //   85c0                 | test                eax, eax
            //   742c                 | je                  0x2e
            //   8b95e8feffff         | mov                 edx, dword ptr [ebp - 0x118]
            //   8b85ecfeffff         | mov                 eax, dword ptr [ebp - 0x114]

        $sequence_3 = { 8d8dfcfeffff 68???????? 51 e8???????? 83c408 eb2b 8d95fcfeffff }
            // n = 7, score = 100
            //   8d8dfcfeffff         | lea                 ecx, dword ptr [ebp - 0x104]
            //   68????????           |                     
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   eb2b                 | jmp                 0x2d
            //   8d95fcfeffff         | lea                 edx, dword ptr [ebp - 0x104]

        $sequence_4 = { 8b02 8b4de4 50 53 }
            // n = 4, score = 100
            //   8b02                 | mov                 eax, dword ptr [edx]
            //   8b4de4               | mov                 ecx, dword ptr [ebp - 0x1c]
            //   50                   | push                eax
            //   53                   | push                ebx

        $sequence_5 = { 6800000400 8974241c e8???????? 83c404 8944241c 85c0 }
            // n = 6, score = 100
            //   6800000400           | push                0x40000
            //   8974241c             | mov                 dword ptr [esp + 0x1c], esi
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8944241c             | mov                 dword ptr [esp + 0x1c], eax
            //   85c0                 | test                eax, eax

        $sequence_6 = { e8???????? 83c420 8945e0 3bc3 7513 5f 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c420               | add                 esp, 0x20
            //   8945e0               | mov                 dword ptr [ebp - 0x20], eax
            //   3bc3                 | cmp                 eax, ebx
            //   7513                 | jne                 0x15
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi

        $sequence_7 = { 8bf1 83e61f 8d3c85c04b4100 8b07 c1e606 f644300401 7436 }
            // n = 7, score = 100
            //   8bf1                 | mov                 esi, ecx
            //   83e61f               | and                 esi, 0x1f
            //   8d3c85c04b4100       | lea                 edi, dword ptr [eax*4 + 0x414bc0]
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   c1e606               | shl                 esi, 6
            //   f644300401           | test                byte ptr [eax + esi + 4], 1
            //   7436                 | je                  0x38

        $sequence_8 = { 6880000000 6a03 8910 668b15???????? 6a00 894804 6a02 }
            // n = 7, score = 100
            //   6880000000           | push                0x80
            //   6a03                 | push                3
            //   8910                 | mov                 dword ptr [eax], edx
            //   668b15????????       |                     
            //   6a00                 | push                0
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   6a02                 | push                2

        $sequence_9 = { c1fe05 c1e106 030cb5c04b4100 eb02 8bca f641247f }
            // n = 6, score = 100
            //   c1fe05               | sar                 esi, 5
            //   c1e106               | shl                 ecx, 6
            //   030cb5c04b4100       | add                 ecx, dword ptr [esi*4 + 0x414bc0]
            //   eb02                 | jmp                 4
            //   8bca                 | mov                 ecx, edx
            //   f641247f             | test                byte ptr [ecx + 0x24], 0x7f

    condition:
        7 of them and filesize < 204800
}
[TLP:WHITE] win_royalcli_w0   (20180312 | Detects malware from APT 15 report by NCC Group)
import "pe"

rule win_royalcli_w0 {
    meta:
        description = "Detects malware from APT 15 report by NCC Group"
        author = "Florian Roth"
        reference = "https://goo.gl/HZ5XMN"
        date = "2018-03-10"
        hash = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "\\Release\\RoyalCli.pdb" ascii
        $s2 = "%snewcmd.exe" fullword ascii
        $s3 = "Run cmd error %d" fullword ascii
        $s4 = "%s~clitemp%08x.ini" fullword ascii
        $s5 = "run file failed" fullword ascii
        $s6 = "Cmd timeout %d" fullword ascii
        $s7 = "2 %s  %d 0 %d" fullword ascii
    condition:
        2 of them
}
Download all Yara Rules