Remsec
Associated Software Descriptions
| Name | Description |
|---|---|
| ProjectSauron |
ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account | |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
| .003 | Application Layer Protocol: Mail Protocols | |||
| .004 | Application Layer Protocol: DNS | |||
| Enterprise | T1059 | .011 | Command and Scripting Interpreter: Lua | |
| Enterprise | T1025 | Data from Removable Media |
Remsec has a package that collects documents from any inserted USB sticks.[3] |
|
| Enterprise | T1652 | Device Driver Discovery |
Remsec has a plugin to detect active drivers of some security products.[3] |
|
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.[5] |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5] |
| Enterprise | T1068 | Exploitation for Privilege Escalation |
Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[3] |
|
| Enterprise | T1083 | File and Directory Discovery |
Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[4][5][3] |
|
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[3] |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[4][5][3] |
| Enterprise | T1105 | Ingress Tool Transfer |
Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[4][3] |
|
| Enterprise | T1056 | .001 | Input Capture: Keylogging | |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[8][5] |
| Enterprise | T1556 | .002 | Modify Authentication Process: Password Filter DLL |
Remsec harvests plain-text credentials as a password filter registered on domain controllers.[5] |
| Enterprise | T1046 | Network Service Discovery |
Remsec has a plugin that can perform ARP scanning as well as port scanning.[3] |
|
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[4][3] |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager | |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
| Enterprise | T1018 | Remote System Discovery | ||
| Enterprise | T1053 | Scheduled Task/Job |
Remsec schedules the execution one of its modules by creating a new scheduler task.[3] |
|
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Remsec has a plugin detect security products via active drivers.[3] |
| Enterprise | T1082 | System Information Discovery |
Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[3] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[3] |
|
| Enterprise | T1049 | System Network Connections Discovery |
Remsec can obtain a list of active connections and open ports.[3] |
|
| Enterprise | T1033 | System Owner/User Discovery | ||
Groups That Use This Software
References
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.
- Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
- Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.