RoyalCLI
RoyalCLI is a backdoor Trojan that provides attackers with a remote connection to your computer. Through this Command & Control contact, hackers may infiltrate other network systems, collect credentials like passwords and install other threats. Users should protect themselves by following appropriate network security guidelines and allowing their anti-malware services to delete RoyalCLI on sight.
One of a Set of Invisible Trojans with Command over Your PC
Ke3chang is a threat actor whose name reoccurs in many reports concerning illicit reconnaissance activities that breach enterprise business, government, and NGO networks worldwide. One of their characteristic tactical patterns is a willingness to use semi-redundant tools for their attacks, such as multiple backdoor Trojans or password collectors for solidifying their hold over a network. RoyalCLI provides a working example, and readers may think of it as a 'brotherly companion' to RoyalDNS.
RoyalCLI's name is a direct pull from a debugging line in its code, with the latter elements a possible reference to command-line interfaces. Although RoyalCLI seems likely to be an update of the old BS2005 RAT, some attack incidents include close or concurrent installations of the two Trojans and RoyalDNS. 2017 samples of RoyalCLI also use a surprisingly primitive, batch script-based model for system persistence. Since Ke3chang or APT15 is an experienced cyber-warfare organization, malware experts estimate that this choice is purely due to some anti-detection advantages.
RoyalCLI's core function is more or less identical to BS2005's C&C methodology: it uses Internet Explorer for contacting the server via a COM interface. APT15 could update this connection choice, in the future since it's a publicly-outed factor in the successful analyses of RoyalCLI's system commands, especially. Users should assume that attackers may leverage RoyalCLI for downloading other threats, collecting private information (including login credentials), and traversing intranet systems and removable devices, among other dangers.
Abolishing a Snoopy of Not-Exactly-Royal Lineage
RoyalCLI isn't a hireable threat that criminals could acquire on the black market. Like Okrum, BS2005, or Ketrican, its presence is a telltale flag of the activities of the APT15 hacking group. This organization specializes in exfiltrating data from highly-secured targets around the world and is exceptionally evasive (using living-off-the-land techniques, where appropriate). Ke3chang also is persistent about reacquiring 'lost' target aggressively by using golden ticket attacks and other means of reinfecting disinfected networks.
Network admins can check the noted indicators of compromise and domain contact activity for samples of RoyalCLI and the other Trojans in this threat actor's arsenal. Users also should prioritize securing passwords and evading possible attacks, such as spear-phishing e-mails that carry corrupted attachments or Web links. The latter are elements in the strategies of this threat actor, along with many other, well-funded hacking organizations.
Since there are limited opportunities for identifying this threat by sight, all users should have anti-malware services to detect and quarantine or delete RoyalCLI in infection scenarios.
RoyalCLI is an evolution of one Trojan and a cohort to three of them, but this duplication of efforts show its controllers' persistence. Hackers who will stop at nothing to get into a network and stay there still, at least, require specific Trojan tools, which is a weakness for staging counter-offenses against them.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.