RoyalCli (ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf)
The RoyalCli backdoor appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary: 'c:\users\wizard\documents\visual studio 2010\Projects\RoyalCli\Release\RoyalCli.pdb' RoyalCli and BS2005 both communicate with the attacker's command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2. Due to the nature of the technique, this results in C2 data being cached to disk by the IE process; we'll get to this later.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| RoyalCli (92d87656-5e5b-410c-bdb6-bf028324dc72) | Malpedia | RoyalCli (ac04d0b0-c6b5-4125-acd7-c58dfe7ad4cf) | Tool | 1 |