Too HIP to be Clomp-y

We have seen a flurry of Clomp malware samples this week — a family of Trojans that tend to install themselves on systems with unsuspecting names like “lsas.exe” or “svchosts.exe” before calling home to some malicious domain to report their latest infection.

Clomp does have some intriguing properties — it breaks up its functionality into piecemeal units of work, and forks off a separate instance of Internet Explorer which it uses to run each of these bits — using CreateRemoteThread to essentially turn iexplore.exe into its own custom RPC service. Most cunning (or maybe just most naive) is the initial code injection into IE to setup this RPC capability — the Trojan just passes the shellcode as a command line argument.

Being a process argument, the shellcode naturally gets copied into IE’s address space. While this command certainly doesn’t open any webpage, the Clomp variant can then search IE’s memory for the start of the shellcode and derive from that the destination address for its CreateRemoteThread calls.

This clever tactic is also its downfall — Sophos customers with HIPS enabled have proactive protection against Clomp variants.