Trojan.Clampi is an interesting threat, which we described in many blog entries over the past month. We’ve now compiled these entries, along with some new material, into a research paper—Inside the Jaws of Trojan.Clampi.
In a nutshell, Clampi is an Infostealer threat. Its executable can be seen as a host for separate modules, containing the real payloads of the threat. These modules are heavily protected from reverse-engineering as well. The functionalities range from banking-site password stealing, to local credential gathering, to a SOCKS proxy. The communication with Clampi’s command & control servers, the “Gates”, uses HTTP and is encrypted. Clampi spawns and uses an Internet Explorer instance as an API proxy to achieve network communication, bypassing firewalls along the way.
One thing we mentioned in passing in the blog entries is that the main executable and the modules are protected from reverse-engineering by VMProtect, a commercial packer used to virtualize executable files. We decided to go a little deeper in the paper, introducing the reader to how VMProtect works, how it affects Clampi, the effort needed to analyze such files, and also present ways to partially reverse the protection scheme in order to allow white-box analysis of this threat.
I hope you enjoyed this series of technical blogs. Finally, special thanks go to Eric Chien, Patrick Fitzerald and Ben Nahorney for their additions, edits and encouragements.
Inside the Jaws of Trojan.Clampi
Previous: Inside Trojan.Clampi: Bypassing your Local Firewall
Beginning of series: Inside the Jaws of Trojan.Clampi