RoyalCLI and RoyalDNS Backdoors
The Chinese Advanced Persistent Threat group APT15 has been found responsible for compromising a UK government contractor using two new backdoors, RoyalCLI and RoyalDNS, during 2016/17.
RoyalCLI establishes communication with Command and Control (C2) servers using the IWebBrowser2 Command Object Model interface in Internet Explorer. RoyalDNS uses text records in the Domain Name System for C2 instead.
When C2 is established the group then conducts network enumeration and reconnaissance activities, as well as lateral movement through the network. This usually involves manual remote execution of built-in Windows utilities including task list, ping, netstat, net, system info, ipconfig _and _bcp.
Domains
The RoyalCli backdoor was attempting to communicate to the following domains:
- News.memozilla[.]org
- video.memozilla[.]org
The BS2005 backdoor utilised the following domains for C2:
- Run.linodepower[.]com
- Singa.linodepower[.]com
- log.autocount[.]org
RoyalDNS backdoor was seen communicating to the domain:
- andspurs[.]com
Possible linked APT15 domains include:
- Micakiz.wikaba[.]org
- cavanic9[.]net
- ridingduck[.]com
- zipcodeterm[.]com
- dnsapp[.]info
Affected platforms
Microsoft Windows – All versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.