ALMA Communicator is a backdoor trojan created by the state-sponsored OilRig group that uses DNS tunnelling to receive commands and exfiltrate data. It is delivered by a specially crafted Excel document (called “Clayslide” by OilRig) that contains malicious macros. It is important to note that ALMA has no internal configuration, instead relying on the Clayslide file for this.
The most recent build of Clayslide operates in a similar way to its predecessors, as it initially displays an “Incompatible” worksheet that states that the Excel file was created with a newer version of Excel and the user needs to “Enable Content” to view the document. If the user clicks “Enable Content”, a malicious macro will run that begins by displaying a hidden worksheet that contains decoy contents
As it communicates using DNS requests, ALMA can only handle very limited volumes of data (download 10 bytes and upload 4 bytes per request). As such, any sizeable amount of data will generate a large number of DNS request, potentially alerting a user to an infection.
The OilRig threat group continues to use their Clayslide delivery document in their attack campaigns. The current variant of Clayslide also suggests that this group continues to develop these delivery documents with new installation techniques to evade detection. This threat group also continues to add new payloads to their toolset as well, with ALMA Communicator being the most recent addition. Lastly, it appears that OilRig still prefers using DNS tunneling for its C2 channel of choice, as ALMA Communicator, Helminth and ISMAgent all use this technique for C2 communications.
Command and Control IP Addresses
184.108.40.206 and 220.127.116.11
Microsoft Windows – All Versions
Duncan is a technology professional with over 20 years experience of working in various IT roles. He also has a wide range of other skills in radio, electronics and telecommunications.