Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [1]

ID: S0125
Aliases: Remsec, Backdoor.Remsec, ProjectSauron
Type: MALWARE
Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
ProjectSauronProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [5]

Techniques Used

DomainIDNameUse
EnterpriseT1087Account DiscoveryRemsec can obtain a list of users.[2]
EnterpriseT1003Credential DumpingRemsec can dump the SAM database.[2]
EnterpriseT1094Custom Command and Control ProtocolRemsec is capable of using ICMP, TCP, and UDP for C2.[3][4]
EnterpriseT1025Data from Removable MediaRemsec has a package that collects documents from any inserted USB sticks.[2]
EnterpriseT1089Disabling Security ToolsRemsec can add or remove applications or ports on the Windows firewall or disable it entirely.[2]
EnterpriseT1048Exfiltration Over Alternative ProtocolRemsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.[4]
EnterpriseT1052Exfiltration Over Physical MediumRemsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[4]
EnterpriseT1068Exploitation for Privilege EscalationRemsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[2]
EnterpriseT1083File and Directory DiscoveryRemsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[3][4][2]
EnterpriseT1107File DeletionRemsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[3][4][2]
EnterpriseT1056Input CaptureRemsec contains a keylogger component.[3][2]
EnterpriseT1036MasqueradingThe Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[3][4]
EnterpriseT1046Network Service ScanningRemsec has a plugin that can perform ARP scanning as well as port scanning.[2]
EnterpriseT1027Obfuscated Files or InformationSome data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[3][2]
EnterpriseT1174Password Filter DLLRemsec harvests plain-text credentials as a password filter registered on domain controllers.[4]
EnterpriseT1057Process DiscoveryRemsec can obtain a process list from the victim.[2]
EnterpriseT1055Process InjectionRemsec can perform DLL injection.[2]
EnterpriseT1105Remote File CopyRemsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[3][2]
EnterpriseT1018Remote System DiscoveryRemsec can ping or traceroute a remote host.[2]
EnterpriseT1053Scheduled TaskRemsec schedules the execution one of its modules by creating a new scheduler task.[2]
EnterpriseT1063Security Software DiscoveryRemsec has a plugin to detect active drivers of some security products.[2]
EnterpriseT1071Standard Application Layer ProtocolRemsec is capable of using HTTP, HTTPS, SMTP, and DNS for C2.[3][4][2]
EnterpriseT1032Standard Cryptographic ProtocolRemsec's network loader encrypts C2 traffic with RSA and RC6.[3]
EnterpriseT1095Standard Non-Application Layer ProtocolRemsec is capable of using ICMP, TCP, and UDP for C2.[3][4]
EnterpriseT1082System Information DiscoveryRemsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[2]
EnterpriseT1016System Network Configuration DiscoveryRemsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[2]
EnterpriseT1049System Network Connections DiscoveryRemsec can obtain a list of active connections and open ports.[2]
EnterpriseT1033System Owner/User DiscoveryRemsec can obtain information about the current user.[2]
EnterpriseT1065Uncommonly Used PortA Remsec module has a default C2 port of 13000.[2]

Groups

Groups that use this software:

Strider

References