Now that we have an overview of what Clop is, it’s time to dig into how they have been operating. Firstly, let’s identify what tools they have been using.
How does Clop operate?
CL0P’s toolkit is a collection of malware used for information gathering. It includes various types of malware:
- FlawedAmmyy/FlawedGrace remote access trojan (RAT): This malware collects information and communicates with a Command and Control (C2) server. It enables the download of additional malware components.
- SDBot RAT: It propagates the infection by exploiting vulnerabilities and dropping copies of itself in removable drives, network shares, and peer-to-peer (P2P) networks. SDBot acts as a backdoor, allowing other commands and functions to be executed on the compromised computer. It uses application shimming for persistence and to avoid detection.
- Truebot: Developed by the Silence hacking group, Truebot is a first-stage downloader module. It can collect system information, take screenshots, and connect to the C2 infrastructure. It can be instructed to load shell code or DLLs, download additional modules, run them, or delete itself. Truebot has been used by TA505 to download FlawedGrace or Cobalt Strike beacons.
- Cobalt Strike: This malware is used to expand network access after gaining entry into the Active Directory (AD) server.
- DEWMODE: It is a PHP-based web shell that targets Accellion FTA devices. DEWMODE interacts with the underlying MySQL database and is used for stealing data from the compromised device.
- LEMURLOOT: It is a C#-based web shell designed to target the MOVEit Transfer platform. LEMURLOOT authenticates incoming HTTP requests with a hard-coded password and can run commands to download files from MOVEit Transfer, extract Azure system settings, retrieve detailed record information, and create, insert, or delete specific users. The web shell returns data in a compressed format (gzip) when responding to requests.
How has Clop attacked organizations?
The most notable attack launched by Clop has been against the MOVEit file transfer software, which is at the heart of the most recent attacks. We are going to take a look at the telltale signs of the threat actors.
MOVEit is often used by organizations to handle their file transfers. It has a web application that works with different databases like MySQL, Microsoft SQL Server, and Azure SQL. In May 2023, a group called CL0P ransomware used a previously unknown weakness in the software, known as CVE-2023-34362.
This allowed them to install a malicious tool called LEMURLOOT on the MOVEit Transfer web application. The purpose of LEMURLOOT was to stay hidden, gather information, and steal data related to the vulnerability (CVE-2023-34362). To carry out its tasks, the malicious tool used various software libraries such as “MOVEit.DMZ.ClassLib,” “MOVEit.DMZ.Application.Files,” and “MOVEit.DMZ.Application.Users” to interact with the MOVEit file transfer software. To appear legitimate, the malicious tool was initially named human2.aspx, pretending to be the real human.aspx file that comes with MOVEit Transfer software. During installation, the tool created a random 36-character password for authentication.
It communicated with its operators through HTTP requests containing a specific header named X-siLock-Comment. The value of this header had to match the password set during installation. Once authenticated, the operators could send commands to the tool. These commands allowed them to:
- Get information about Microsoft Azure system settings, Azure Blob Storage, Azure Blob Storage account, Azure Blob key, and Azure Blob Container.
- Gather details about the underlying SQL database.
- Store a specific text sent by the operator and then retrieve a file from the MOVEit Transfer system with a matching name.
- Create a new privileged account for an administrator, with a username and other values randomly generated but set to “Health Check Service.”
- Delete an account with specific values set to “Health Check Service.”
The company Progress Software discovered this vulnerability (CVE-2023-34362) in MOVEit Transfer and provided guidance on affected versions, software upgrades, and patches. Due to evidence of active exploitation, CISA (Cybersecurity and Infrastructure Security Agency) added this vulnerability to their list of Known Exploited Vulnerabilities (KEVs) on June 2, 2023. The following versions of MOVEit Transfer software are affected:
- MOVEit Transfer 2023.0.0
- MOVEit Transfer 2022.1.x
- MOVEit Transfer 2022.0.x
- MOVEit Transfer 2021.1.x
- MOVEit Transfer 2021.0.x
- MOVEit Transfer 2020.1.x
- MOVEit Transfer 2020.0.x
Based on how quickly and easily the TA505 group exploited this vulnerability, and considering their past activities, the FBI and CISA anticipate widespread exploitation of unpatched software in both private and public networks.
Hopefully you have found this guide useful. Stay on your toes for Clop!
