RoyalCli

Description

RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker’s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

Names

Name
RoyalCli

Type

Backdoor
Info stealer
Exfiltration

Information

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://github.com/nccgroup/Royal_APT

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli

Alienvault Otx

https://otx.alienvault.com/browse/pulses?q=tag:RoyalCli

Other Information

Uuid

dc1d097f-ddef-41bd-9316-229867d167be

Last Card Change

2020-05-14

Threat Intelligence Garden

Explorer

RoyalCli

RoyalCli

Description

Names

Category

Type

Information

Malpedia

Alienvault Otx

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks