RoyalCli (Malware Family)

RoyalCli

Actor(s): Mirage

VTCollection

RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

References

2020-01-01 ⋅ Secureworks ⋅ SecureWorks
BRONZE PALACE
BS2005 Enfal Mirage RoyalCli Royal DNS APT15

2018-03-16 ⋅ Github (nccgroup) ⋅ NCC Group PLC
Royal APT - APT15 Repository
BS2005 MS Exchange Tool RoyalCli Royal DNS APT15

2018-03-10 ⋅ NCC Group ⋅ Rob Smallridge
APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS
BS2005 MS Exchange Tool RoyalCli Royal DNS APT15

Yara Rules

[TLP:WHITE] win_royalcli_auto (20260504 | Detects win.royalcli.)

rule win_royalcli_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.royalcli."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ffd6 b907000000 8db57cf7ffff 8dbd60f7ffff f3a5 }
            // n = 5, score = 100
            //   ffd6                 | call                esi
            //   b907000000           | mov                 ecx, 7
            //   8db57cf7ffff         | lea                 esi, [ebp - 0x884]
            //   8dbd60f7ffff         | lea                 edi, [ebp - 0x8a0]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_1 = { ffd6 8d8df4f6ffff 51 ffd6 }
            // n = 4, score = 100
            //   ffd6                 | call                esi
            //   8d8df4f6ffff         | lea                 ecx, [ebp - 0x90c]
            //   51                   | push                ecx
            //   ffd6                 | call                esi

        $sequence_2 = { 6804010000 8d95e0feffff 52 68???????? 68???????? 68???????? ffd7 }
            // n = 7, score = 100
            //   6804010000           | push                0x104
            //   8d95e0feffff         | lea                 edx, [ebp - 0x120]
            //   52                   | push                edx
            //   68????????           |                     
            //   68????????           |                     
            //   68????????           |                     
            //   ffd7                 | call                edi

        $sequence_3 = { 8b4808 334804 8b500c 3310 8d8178563412 356699aa55 03c2 }
            // n = 7, score = 100
            //   8b4808               | mov                 ecx, dword ptr [eax + 8]
            //   334804               | xor                 ecx, dword ptr [eax + 4]
            //   8b500c               | mov                 edx, dword ptr [eax + 0xc]
            //   3310                 | xor                 edx, dword ptr [eax]
            //   8d8178563412         | lea                 eax, [ecx + 0x12345678]
            //   356699aa55           | xor                 eax, 0x55aa9966
            //   03c2                 | add                 eax, edx

        $sequence_4 = { 8be5 5d c3 53 56 8d85d8fdffff 50 }
            // n = 7, score = 100
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   53                   | push                ebx
            //   56                   | push                esi
            //   8d85d8fdffff         | lea                 eax, [ebp - 0x228]
            //   50                   | push                eax

        $sequence_5 = { 03ca 32d8 32d9 8ac3 8b5d08 88041f 47 }
            // n = 7, score = 100
            //   03ca                 | add                 ecx, edx
            //   32d8                 | xor                 bl, al
            //   32d9                 | xor                 bl, cl
            //   8ac3                 | mov                 al, bl
            //   8b5d08               | mov                 ebx, dword ptr [ebp + 8]
            //   88041f               | mov                 byte ptr [edi + ebx], al
            //   47                   | inc                 edi

        $sequence_6 = { 8bd0 83e01f c1fa05 8b1495c04b4100 59 c1e006 }
            // n = 6, score = 100
            //   8bd0                 | mov                 edx, eax
            //   83e01f               | and                 eax, 0x1f
            //   c1fa05               | sar                 edx, 5
            //   8b1495c04b4100       | mov                 edx, dword ptr [edx*4 + 0x414bc0]
            //   59                   | pop                 ecx
            //   c1e006               | shl                 eax, 6

        $sequence_7 = { 6a00 57 e8???????? 83c40c 8d85a4feffff }
            // n = 5, score = 100
            //   6a00                 | push                0
            //   57                   | push                edi
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85a4feffff         | lea                 eax, [ebp - 0x15c]

        $sequence_8 = { 57 56 e8???????? c1f805 56 8d3c85c04b4100 }
            // n = 6, score = 100
            //   57                   | push                edi
            //   56                   | push                esi
            //   e8????????           |                     
            //   c1f805               | sar                 eax, 5
            //   56                   | push                esi
            //   8d3c85c04b4100       | lea                 edi, [eax*4 + 0x414bc0]

        $sequence_9 = { 8bf9 85c9 7428 0fb61c32 8bc8 c1e90f 03c0 }
            // n = 7, score = 100
            //   8bf9                 | mov                 edi, ecx
            //   85c9                 | test                ecx, ecx
            //   7428                 | je                  0x2a
            //   0fb61c32             | movzx               ebx, byte ptr [edx + esi]
            //   8bc8                 | mov                 ecx, eax
            //   c1e90f               | shr                 ecx, 0xf
            //   03c0                 | add                 eax, eax

    condition:
        7 of them and filesize < 204800
}

[TLP:WHITE] win_royalcli_w0 (20180312 | Detects malware from APT 15 report by NCC Group)

import "pe"

rule win_royalcli_w0 {
    meta:
        description = "Detects malware from APT 15 report by NCC Group"
        author = "Florian Roth"
        reference = "https://goo.gl/HZ5XMN"
        date = "2018-03-10"
        hash = "6df9b712ff56009810c4000a0ad47e41b7a6183b69416251e060b5c80cd05785"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli"
        malpedia_version = "20180312"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $s1 = "\\Release\\RoyalCli.pdb" ascii
        $s2 = "%snewcmd.exe" fullword ascii
        $s3 = "Run cmd error %d" fullword ascii
        $s4 = "%s~clitemp%08x.ini" fullword ascii
        $s5 = "run file failed" fullword ascii
        $s6 = "Cmd timeout %d" fullword ascii
        $s7 = "2 %s  %d 0 %d" fullword ascii
    condition:
        2 of them
}

Download all Yara Rules

RoyalCli Propose Change

References

Yara Rules

RoyalCli