1. Home
  2. Software
  3. RCSession

RCSession

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[1][2][3]

ID: S0662
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 19 November 2021
Last Modified: 11 April 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

RCSession can bypass UAC to escalate privileges.[3]
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RCSession can use HTTP in C2 communications.[3][4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RCSession has the ability to modify a Registry Run key to establish persistence.[3][4]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RCSession can use cmd.exe for execution on compromised hosts.[3]
Enterprise T1005 Data from Local System

RCSession can collect data from a compromised host.[4][3]
Enterprise T1573 Encrypted Channel

RCSession can use an encrypted beacon to check in with C2.[1]
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

RCSession can be installed via DLL side-loading.[1][3][4]
Enterprise T1070 .004 Indicator Removal: File Deletion

RCSession can remove files from a targeted system.[4]
Enterprise T1105 Ingress Tool Transfer

RCSession has the ability to drop additional files to an infected machine.[4]
Enterprise T1056 .001 Input Capture: Keylogging

RCSession has the ability to capture keystrokes on a compromised host.[3][4]
Enterprise T1036 Masquerading

RCSession has used a file named English.rtf to appear benign on victim hosts.[1][3]
Enterprise T1112 Modify Registry

RCSession can write its configuration file to the Registry.[3][4]
Enterprise T1106 Native API

RCSession can use WinSock API for communication including WSASend and WSARecv.[4]
Enterprise T1095 Non-Application Layer Protocol

RCSession has the ability to use TCP and UDP in C2 communications.[3][4]
Enterprise T1027 .011 Obfuscated Files or Information: Fileless Storage

RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus.[3][4]
.013 Obfuscated Files or Information: Encrypted/Encoded File

RCSession can compress and obfuscate its strings to evade detection on a compromised host.[3]
Enterprise T1057 Process Discovery

RCSession can identify processes based on PID.[4]
Enterprise T1055 .012 Process Injection: Process Hollowing

RCSession can launch itself from a hollowed svchost.exe process.[1][3][4]
Enterprise T1113 Screen Capture

RCSession can capture screenshots from a compromised host.[4]
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

RCSession has the ability to execute inside the msiexec.exe process.[4]
Enterprise T1082 System Information Discovery

RCSession can gather system information from a compromised host.[4]
Enterprise T1033 System Owner/User Discovery

RCSession can gather system owner information, including user and administrator privileges.[4]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[2][3][4]
G0129 Mustang Panda

[1]

References

  1. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  1. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  2. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.