JUST RELEASED: ATT&CK for Industrial Control Systems

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

X-Agent for Android

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

X-Agent for Android

Y-Z

Remexi

Remexi is a Windows-based Trojan that was developed in the C programming language.^[1]

ID: S0375

Type: MALWARE

Platforms: Windows

Version: 1.0

Created: 17 April 2019

Last Modified: 22 April 2019

Techniques Used

Domain	ID	Name	Use
Enterprise	T1010	Application Window Discovery	Remexi has a command to capture active windows on the machine and retrieve window titles.^[1]
Enterprise	T1115	Clipboard Data	Remexi collects text from the clipboard.^[1]
Enterprise	T1059	Command-Line Interface	Remexi silently executes received commands with cmd.exe.^[1]
Enterprise	T1022	Data Encrypted	Remexi encrypts and adds all gathered browser data into files for upload to C2.^[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Remexi decrypts the configuration data using XOR with 25-character keys.^[1]
Enterprise	T1041	Exfiltration Over Command and Control Channel	Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.^[1]
Enterprise	T1083	File and Directory Discovery	Remexi searches for files on the system.^[1]
Enterprise	T1056	Input Capture	Remexi gathers and exfiltrates keystrokes from the machine.^[1]
Enterprise	T1027	Obfuscated Files or Information	Remexi obfuscates its configuration data with XOR.^[1]
Enterprise	T1060	Registry Run Keys / Startup Folder	Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.^[1]
Enterprise	T1053	Scheduled Task	Remexi utilizes scheduled tasks as a persistence mechanism.^[1]
Enterprise	T1113	Screen Capture	Remexi takes screenshots of windows of interest.^[1]
Enterprise	T1064	Scripting	Remexi uses AutoIt and VBS scripts throughout its execution process.^[1]
Enterprise	T1071	Standard Application Layer Protocol	Remexi uses BITSAdmin to communicate with the C2 server over HTTP.^[1]
Enterprise	T1047	Windows Management Instrumentation	Remexi executes received commands with wmic.exe (for WMI commands).^[1]
Enterprise	T1004	Winlogon Helper DLL	Remexi achieves persistence using Userinit by adding the Registry key `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit`.^[1]

Groups That Use This Software

ID	Name	References
G0087	APT39	^[2] ^[1]

References

Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.