ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

Remexi

Remexi is a Windows-based Trojan that was developed in the C programming language.^[1]

ID: S0375

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 17 April 2019

Last Modified: 11 April 2024

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Remexi uses BITSAdmin to communicate with the C2 server over HTTP.^[1]
Enterprise	T1010		Application Window Discovery	Remexi has a command to capture active windows on the machine and retrieve window titles.^[1]
Enterprise	T1560		Archive Collected Data	Remexi encrypts and adds all gathered browser data into files for upload to C2.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.^[1]
		.004	Boot or Logon Autostart Execution: Winlogon Helper DLL	Remexi achieves persistence using Userinit by adding the Registry key `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`.^[1]
Enterprise	T1115		Clipboard Data	Remexi collects text from the clipboard.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Remexi silently executes received commands with cmd.exe.^[1]
		.005	Command and Scripting Interpreter: Visual Basic	Remexi uses AutoIt and VBS scripts throughout its execution process.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Remexi decrypts the configuration data using XOR with 25-character keys.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.^[1]
Enterprise	T1083		File and Directory Discovery	Remexi searches for files on the system. ^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	Remexi gathers and exfiltrates keystrokes from the machine.^[1]
Enterprise	T1027	.013	Obfuscated Files or Information: Encrypted/Encoded File	Remexi obfuscates its configuration data with XOR.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	Remexi utilizes scheduled tasks as a persistence mechanism.^[1]
Enterprise	T1113		Screen Capture	Remexi takes screenshots of windows of interest.^[1]
Enterprise	T1047		Windows Management Instrumentation	Remexi executes received commands with wmic.exe (for WMI commands). ^[1]

Groups That Use This Software

ID	Name	References
G0087	APT39	^[2]^[1]^[3]

References

Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.

Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.