Tactics, Techniques and Procedures for  Clop



Sponsored by Hudson RockUse Hudson Rock's free cybercrime intelligence tools to learn how Infostealer infections are impacting your business

Initial Access (TA0001) Execution (TA0002) Persistence (TA0003) Privilege Escalation (TA0004) Defense Evasion (TA0005) Discovery (TA0007) Lateral Movement (TA0008) Collection (TA0009) Exfiltration (TA0010) Command and Control (TA0011) Impact (TA0040)
Phishing: Spear-phishing attachment (T1566.001)
Arrives via phishing emails that have Get2 Loader, which will download the SDBot and FlawedAmmy RAT.
Native API (T1106)
Uses native API to execute various commands/routines.
Boot or logon autostart execution (T1547)
Creates registry run entries to execute the ransomware as a service.
Domain Policy modification: Group Policy modification (T1484.001)
Uses stolen credentials to access the AD servers to gain administrator privilege and attack other machines within the network.
Masquerading: invalid code signature (T1036.001)
Makes use of the following digital signatures: DVERI, FADO, TOV.
File and directory discovery (T1083)
Searches for specific files and the directory related to its encryption.
Lateral tool transfer (T1570)
Can make use of RDP to transfer the ransomware or tools within the network.
Data from local system (T1005)
Might make use of RDP to manually search for valuable files or information.
Exfiltration over web service (T1567)
DEWMODE web shell extracts list of available files from a MySQL database on the FTA and lists these files and corresponding their metadata. These will then be downloaded using the DEWMODE web shell.
Application Layer Protocol (T1071)
Uses http/s to communicate to its C&C server.
Data encrypted for impact (T1486)
Uses a combination of Salsa20, AES, and ECDH to encrypt the files and key.
Exploit public-facing application (T1190)
Arrives via any the following exploits: CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, CVE-2021-27104, CVE-2021-35211.
Command and scripting interpreter (T1059)
Uses various scripting interpreters like PowerShell, Windows command shell and Visual Basic (macro in documents).
Create or modify system process: Windows service (T1543.003)
Creates a service to execute the ransomware.
Exploitation for privilege escalation (T1068)
Makes use of CVE-2021-27102 to escalate privilege.
Impair defenses: disable or modify tools (T1562.001)
Disables security-related software by terminating them.
Remote system discovery (T1018)
Makes use of tools for network scans.
Remote services: SMB/Windows admin shares (T1021.002)
Drops a copy of the payload to the compromised AD and then creates a service on the target machine to execute the copy of the payload.
Inhibit system recovery (T1490)
Deletes shadow copies.
Valid accounts (T1078)
Have been reported to make use of compromised accounts to access victims via RDP.
User execution (T1204)
User execution is needed to carry out the payload from the spear-phishing link/attachments.
Hijack execution flow (T1574)
UAC bypass.
Deobfuscate/Decode files or information (T1140)
The tool used for exfiltration has a part of its malware trace removal, and it drops a base-64 encoded file.
Process discovery (T1057)
Discovers certain processes for process termination.
Indicator removal on host: file deletion (T1070.004)
Deletes traces of itself in the infected machine.
System information discovery (T1082)
Identifies keyboard layout and other system information.
Process injection: DLL injection (T1055.001)
To deliver other tools and payload, a tool has the capability to inject its downloaded payload.
Query registry (T1012)
Queries certain registries as part of its routine.
Indirect command execution (T1202)
A startup script runs just before the system gets to the login screen via startup registry.
Security software discovery (T1063)
Discovers security software for reconnaissance and termination.
Indicator removal on host: clear Windows event logs (T1070.001)
Clears the Event Viewer log files.

This information is provided by Crocodyli or Ransomware.live