APT27 Turns To Ransomware – A Gaming Industry Case Study

In December 2020, The Global Threat Center Intelligence Team analyzed samples of malware involving ransomware and encryption of servers of major gaming companies around the world. The team identified this variant as Clambling, which resembles the APT27-associated DRBControl. One interesting fact about DRBControl backdoor is its ability to utilize Dropbox as a Command and Control (C2) server. Even though the variant of Clambling is very similar to DRBControl, it lacks the Dropbox capabilities of DRBControl. In addition to the discovered backdoor, the team also located the ASPXSpy webshell, a sample of PlugX, and Mimikatz. The malware encrypted core servers using BitLocker, a local drive encryption tool built-in windows. This attracted the concern of the team as, in most cases, threat actors prefer to drop ransomware to the machines rather than use local tools.

How the Actors Entered the System

The threat actors gained entry into the system through a third-party compromise. The PlugX and Clambling samples were loaded into the memory through a Google Updater executable. Each sample consisted of a legitimate executable, a malicious DLL, a binary file consisting of shellcode designed to extract the payload and execute it in the memory. Both the PlugX and Clambling samples used a signed Google Updater with the DLL labeled goopdate.dll. However, the PlugX binary file was named license.rtf, with the Clambling binary file named English.rtf. The binary responsible for escalating privileges by exploiting CVE-2017-0213 was also located. APT27 historically uses this exploit to escalate privileges.

How Clambling Infects the System

Execution of Clambling

Upon entry, the threat is executed based on the number of arguments and not the content of the arguments as it would be expected. The program writes the encrypted on-board configuration into the registry and decrypts it in memory for later use in the sample. The program is executed in four steps.

Argument 1

The first argument sets up persistence through registry services and executes DLL side loading. This is achieved if the sample has the correct privileges. Otherwise, the program has to utilize the Run key in the registry.

Argument 2

In the second argument, the sample initiates msiexec.exe and injects itself into it. The sample achieves this by allocating the memory in the remote suspended process and writing itself into the memory. The program patches the entry points and passes in the argument 0x120000.

Argument 3

The third argument initiates communication with the C2 server and injects itself in the spawned svchost.exe. There are three main communication protocols utilized, including raw UDP, raw TCP, and HTTP.

Argument 4

Finally, the fourth argument sets up a pipe with the msiexec.exe process and establishes the main backdoor activities. The communication function will, from this point, undergo loops until it receives a command to clean up the machine and terminate itself. The second msiexec.exe process executes various commands, including gathering system information, updating the current implant, and cleaning any traces of the malware on the disk.

X-PHY Protection Method

The threat actors enter the system by loading in various files disguised as legitimate executable files.  X-PHY AI Embedded Cyber Secure SSD contains X-PHY Forensic Agent which keeps tabs on everything that happens in the system to ensure that it does not harm the system and that the data is used legitimately. The active detective logs detailed records of all modifications in the system including who, what, and when the modifications are executed. 

While the Forensic front-end gauges the modifications executed by these samples against the data writing average, LBA hashing tables, and accumulative I/Os, the backend takes care of behavioral analysis and threat detection. Even though the files pose as legitimate when loading into the system, the X-PHY Forensic Agent will identify the malicious DLL in the samples during extraction of payload into the memory. As such, the X-PHY AI Embedded Cyber Secure SSD will trigger X-Guard threat lock to initiate lockdown and raise alert over the attack.

X-PHY Forensic Agent Verifies Legitimacy of Executable Files

The execution of the threat involves a set of activities that establish a backdoor and initiates a communication loops through the backdoor. X-PHY AI Embedded Cyber Secure SSD contains sophisticated AI algorithm that constantly monitors all activities at the firmware level to determine any irregularities. The AI algorithm will detect the unusual trait at the backdoor and trigger the X-Guard threat lock to restrict physical access of the NAND flash storage. X-PHY AI Embedded Cyber Secure SSD will alert the network team to restrict all external network access to the database protecting the system from attackers.

Share This On Your Favorite Social Media!