Software: Remsec, Backdoor.Remsec, ProjectSauron

From enterprise
Jump to: navigation, search
Remsec, Backdoor.Remsec, ProjectSauron
Software
ID S0125
Aliases Remsec, Backdoor.Remsec, ProjectSauron
Type Malware

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua.1

Alias Descriptions

  • ProjectSauron - ProjectSauron is used to refer both to the threat group also known as Strider as well as the malware platform also known as Remsec.2

Techniques Used

  • Masquerading - The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare.34 Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.4
  • Obfuscated Files or Information - Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.35
  • Remote File Copy - Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.35
  • File and Directory Discovery - Remsec is capable of listing contents of folders on the victim.35 Remsec also searches for custom network encryption software on victims.4
  • File Deletion - Remsec is capable of deleting files on the victim.35 It also securely removes itself after collecting and exfiltrating data.4
  • Scheduled Task - Remsec schedules the execution one of its modules by creating a new scheduler task.5
  • Exploitation of Vulnerability - Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.5
  • System Information Discovery - Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.5
  • Password Filter DLL - Remsec harvests plain-text credentials as a password filter registered on domain controllers.4

Groups

The following groups use this software: