Remexi
Techniques Used
Domain | ID | Name | Use |
---|---|---|---|
Enterprise | T1010 | Application Window Discovery |
Remexi has a command to capture active windows on the machine and retrieve window titles.[1] |
Enterprise | T1115 | Clipboard Data | |
Enterprise | T1059 | Command-Line Interface | |
Enterprise | T1022 | Data Encrypted |
Remexi encrypts and adds all gathered browser data into files for upload to C2.[1] |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Remexi decrypts the configuration data using XOR with 25-character keys.[1] |
Enterprise | T1041 | Exfiltration Over Command and Control Channel |
Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[1] |
Enterprise | T1083 | File and Directory Discovery | |
Enterprise | T1056 | Input Capture |
Remexi gathers and exfiltrates keystrokes from the machine.[1] |
Enterprise | T1027 | Obfuscated Files or Information | |
Enterprise | T1060 | Registry Run Keys / Startup Folder |
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[1] |
Enterprise | T1053 | Scheduled Task |
Remexi utilizes scheduled tasks as a persistence mechanism.[1] |
Enterprise | T1113 | Screen Capture | |
Enterprise | T1064 | Scripting |
Remexi uses AutoIt and VBS scripts throughout its execution process.[1] |
Enterprise | T1071 | Standard Application Layer Protocol |
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.[1] |
Enterprise | T1047 | Windows Management Instrumentation |
Remexi executes received commands with wmic.exe (for WMI commands).[1] |
Enterprise | T1004 | Winlogon Helper DLL |
Remexi achieves persistence using Userinit by adding the Registry key |
Groups That Use This Software
ID | Name | References |
---|---|---|
G0087 | APT39 | [2] [1] |