Aliases: Remsec, Backdoor.Remsec, ProjectSauron
|ProjectSauron||ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. |
|Enterprise||T1087||Account Discovery||Remsec can obtain a list of users.|
|Enterprise||T1003||Credential Dumping||Remsec can dump the SAM database.|
|Enterprise||T1094||Custom Command and Control Protocol||Remsec is capable of using ICMP, TCP, and UDP for C2.|
|Enterprise||T1025||Data from Removable Media||Remsec has a package that collects documents from any inserted USB sticks.|
|Enterprise||T1089||Disabling Security Tools||Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.|
|Enterprise||T1048||Exfiltration Over Alternative Protocol||Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.|
|Enterprise||T1052||Exfiltration Over Physical Medium||Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.|
|Enterprise||T1068||Exploitation for Privilege Escalation||Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.|
|Enterprise||T1083||File and Directory Discovery||Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.|
|Enterprise||T1107||File Deletion||Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.|
|Enterprise||T1056||Input Capture||Remsec contains a keylogger component.|
|Enterprise||T1036||Masquerading||The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.|
|Enterprise||T1046||Network Service Scanning||Remsec has a plugin that can perform ARP scanning as well as port scanning.|
|Enterprise||T1027||Obfuscated Files or Information||Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.|
|Enterprise||T1174||Password Filter DLL||Remsec harvests plain-text credentials as a password filter registered on domain controllers.|
|Enterprise||T1057||Process Discovery||Remsec can obtain a process list from the victim.|
|Enterprise||T1055||Process Injection||Remsec can perform DLL injection.|
|Enterprise||T1105||Remote File Copy||Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.|
|Enterprise||T1018||Remote System Discovery||Remsec can ping or traceroute a remote host.|
|Enterprise||T1053||Scheduled Task||Remsec schedules the execution one of its modules by creating a new scheduler task.|
|Enterprise||T1063||Security Software Discovery||Remsec has a plugin to detect active drivers of some security products.|
|Enterprise||T1071||Standard Application Layer Protocol||Remsec is capable of using HTTP, HTTPS, SMTP, and DNS for C2.|
|Enterprise||T1032||Standard Cryptographic Protocol||Remsec's network loader encrypts C2 traffic with RSA and RC6.|
|Enterprise||T1095||Standard Non-Application Layer Protocol||Remsec is capable of using ICMP, TCP, and UDP for C2.|
|Enterprise||T1082||System Information Discovery||Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.|
|Enterprise||T1016||System Network Configuration Discovery||Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.|
|Enterprise||T1049||System Network Connections Discovery||Remsec can obtain a list of active connections and open ports.|
|Enterprise||T1033||System Owner/User Discovery||Remsec can obtain information about the current user.|
|Enterprise||T1065||Uncommonly Used Port||A Remsec module has a default C2 port of 13000.|
Groups that use this software:Strider
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.