1. Home
  2. Software
  3. Remsec

Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. [1]

ID: S0125
Associated Software: Backdoor.Remsec, ProjectSauron
Type: MALWARE
Platforms: Windows
Version: 1.4
Created: 31 May 2017
Last Modified: 05 August 2024

Associated Software Descriptions

Name Description
ProjectSauron

ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. [2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1025 从可移动介质获取数据

Remsec has a package that collects documents from any inserted USB sticks.[3]
Enterprise T1036 .005 伪装: Match Legitimate Name or Location

The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.[4][5]
Enterprise T1556 .002 修改身份验证过程: Password Filter DLL

Remsec harvests plain-text credentials as a password filter registered on domain controllers.[5]
Enterprise T1059 .011 命令与脚本解释器: Lua

Remsec can use modules written in Lua for execution.[6]
Enterprise T1562 .004 妨碍防御: Disable or Modify System Firewall

Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.[3]
Enterprise T1071 .001 应用层协议: Web Protocols

Remsec is capable of using HTTP and HTTPS for C2.[7][5][3]
.003 应用层协议: Mail Protocols

Remsec is capable of using SMTP for C2.[7][5][3][8]
.004 应用层协议: DNS

Remsec is capable of using DNS for C2.[7][5][3]
Enterprise T1003 .002 操作系统凭证转储: Security Account Manager

Remsec can dump the SAM database.[3]
Enterprise T1083 文件和目录发现

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.[7][5][3]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.[5]
Enterprise T1068 权限提升漏洞利用

Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[3]
Enterprise T1027 .013 混淆文件或信息: Encrypted/Encoded File

Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.[7][3]
Enterprise T1070 .004 移除指标: File Deletion

Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.[7][5][3]
Enterprise T1082 系统信息发现

Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[3]
Enterprise T1033 系统所有者/用户发现

Remsec can obtain information about the current user.[3]
Enterprise T1049 系统网络连接发现

Remsec can obtain a list of active connections and open ports.[3]
Enterprise T1016 系统网络配置发现

Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[3]
Enterprise T1046 网络服务发现

Remsec has a plugin that can perform ARP scanning as well as port scanning.[3]
Enterprise T1652 设备驱动程序探测

Remsec has a plugin to detect active drivers of some security products.[3]
Enterprise T1087 .001 账号发现: Local Account

Remsec can obtain a list of users.[3]
Enterprise T1518 .001 软件发现: Security Software Discovery

Remsec has a plugin detect security products via active drivers.[3]
Enterprise T1105 输入工具传输

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[7][3]
Enterprise T1056 .001 输入捕获: Keylogging

Remsec contains a keylogger component.[7][3]
Enterprise T1057 进程发现

Remsec can obtain a process list from the victim.[3]
Enterprise T1055 .001 进程注入: Dynamic-link Library Injection

Remsec can perform DLL injection.[3]
Enterprise T1018 远程系统发现

Remsec can ping or traceroute a remote host.[3]
Enterprise T1052 .001 通过物理介质渗出: Exfiltration over USB

Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.[5]
Enterprise T1095 非应用层协议

Remsec is capable of using ICMP, TCP, and UDP for C2.[7][5]
Enterprise T1053 预定任务/作业

Remsec schedules the execution one of its modules by creating a new scheduler task.[3]

Groups That Use This Software

ID Name References
G0041 Strider

[1][2]

References

  1. Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
  2. Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
  3. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  4. Warwick Ashford. (2016, August 8). Strider cyber attack group deploying malware for espionage. Retrieved January 10, 2024.
  1. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  2. Global Research and Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 5, 2024.
  3. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  4. Michael Mimoso. (2016, August 8). ProjectSauron APT On Par With Equation, Flame, Duqu. Retrieved January 10, 2024.