Added RoyalCli and RoyalDNS related to APT15 based on information from NCC Group

This commit is contained in:
Dennis Rand 2018-03-15 22:08:06 +00:00
parent bfc83ad305
commit 080e68a30f

View file

@ -11,7 +11,7 @@
], ],
"description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.", "description": "threat-actor-tools is an enumeration of tools used by adversaries. The list includes malware but also common software regularly used by the adversaries.",
"uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f", "uuid": "0d821b68-9d82-4c6d-86a6-1071a9e0f79f",
"version": 57, "version": 58,
"values": [ "values": [
{ {
"meta": { "meta": {
@ -4049,6 +4049,25 @@
] ]
}, },
"uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04" "uuid": "49025073-4cd3-43b8-b893-e80a1d3adc04"
},
{
"value": "RoyalCli",
"description": "The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\\users\\wizard\\documents\\visual studio 2010\\Projects\\RoyalCli\\Release\\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we'll get to this later.",
"meta": {
"refs": [
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
},
"uuid": "ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf"
},
{
"value": "RoyalDNS",
"meta": {
"refs": [
"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/"
]
},
"uuid": "7b20b78a-df6e-40c7-9a3a-363f040cfad7"
} }
] ]
} }