The Chinese Advanced Persistent Threat group APT15 has been found responsible for compromising a UK government contractor using two new backdoors, RoyalCLI and RoyalDNS, during 2016/17.
RoyalCLI establishes communication with Command and Control (C2) servers using the IWebBrowser2 Command Object Model interface in Internet Explorer. RoyalDNS uses text records in the Domain Name System for C2 instead.
When C2 is established the group then conducts network enumeration and reconnaissance activities, as well as lateral movement through the network. This usually involves manual remote execution of built-in Windows utilities including task list, ping, netstat, net, system info, ipconfig _and _bcp.
The RoyalCli backdoor was attempting to communicate to the following domains:
The BS2005 backdoor utilised the following domains for C2:
RoyalDNS backdoor was seen communicating to the domain:
Possible linked APT15 domains include:
Microsoft Windows – All versions