Remsec
Associated Software Descriptions
| Name | Description |
|---|---|
| ProjectSauron | ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125.[2] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery:Local Account | |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | |
| .003 | Application Layer Protocol:Mail Protocols | |||
| .004 | Application Layer Protocol:DNS | |||
| Enterprise | T1059 | .011 | Command and Scripting Interpreter:Lua | |
| Enterprise | T1025 | Data from Removable Media | Remsec has a package that collects documents from any inserted USB sticks.[3] | |
| Enterprise | T1652 | Device Driver Discovery | Remsec has a plugin to detect active drivers of some security products.[3] | |
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol:Exfiltration Over Unencrypted Non-C2 Protocol | Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.[5] |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium:Exfiltration over USB | Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5] |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[3] | |
| Enterprise | T1083 | File and Directory Discovery | Remsec is capable of listing contents of folders on the victim.Remsec also searches for custom network encryption software on victims.[4][5][3] | |
| Enterprise | T1562 | .004 | Impair Defenses:Disable or Modify System Firewall | Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[3] |
| Enterprise | T1070 | .004 | Indicator Removal:File Deletion | Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[4][5][3] |
| Enterprise | T1105 | Ingress Tool Transfer | Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[4][3] | |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | |
| Enterprise | T1036 | .005 | Masquerading:Match Legitimate Resource Name or Location | TheRemsec loader implements itself with the name Security Support Provider, a legitimate Windows function. VariousRemsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare.Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[8][5] |
| Enterprise | T1556 | .002 | Modify Authentication Process:Password Filter DLL | Remsec harvests plain-text credentials as a password filter registered on domain controllers.[5] |
| Enterprise | T1046 | Network Service Discovery | Remsec has a plugin that can perform ARP scanning as well as port scanning.[3] | |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1027 | .013 | Obfuscated Files or Information:Encrypted/Encoded File | Some data inRemsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[4][3] |
| Enterprise | T1003 | .002 | OS Credential Dumping:Security Account Manager | |
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1055 | .001 | Process Injection:Dynamic-link Library Injection | |
| Enterprise | T1018 | Remote System Discovery | ||
| Enterprise | T1053 | .005 | Scheduled Task/Job:Scheduled Task | Remsec schedules the execution one of its modules by creating a new scheduler task.[3] |
| Enterprise | T1518 | .001 | Software Discovery:Security Software Discovery | Remsec has a plugin detect security products via active drivers.[3] |
| Enterprise | T1082 | System Information Discovery | Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[3] | |
| Enterprise | T1016 | System Network Configuration Discovery | Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[3] | |
| Enterprise | T1049 | System Network Connections Discovery | Remsec can obtain a list of active connections and open ports.[3] | |
| Enterprise | T1033 | System Owner/User Discovery | ||
Groups That Use This Software
References
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.
- Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
- Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.