Remsec
Associated Software Descriptions |
|
| Name | Description |
|---|---|
| ProjectSauron | ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. (Citation: Kaspersky ProjectSauron Blog) |
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
Remsec can obtain a list of users.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Remsec is capable of using HTTP and HTTPS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis) |
| .003 | Application Layer Protocol: Mail Protocols |
Remsec is capable of using SMTP for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis) |
||
| .004 | Application Layer Protocol: DNS |
Remsec is capable of using DNS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis) |
||
| Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1052 | .001 | Exfiltration Over Physical Medium: Exfiltration over USB |
Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1562 | .004 | Impair Defenses: Disable or Modify System Firewall |
Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
Remsec contains a keylogger component.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1556 | .002 | Modify Authentication Process: Password Filter DLL |
Remsec harvests plain-text credentials as a password filter registered on domain controllers.(Citation: Kaspersky ProjectSauron Full Report) |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Remsec can dump the SAM database.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Remsec can perform DLL injection.(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Remsec has a plugin to detect active drivers of some security products.(Citation: Kaspersky ProjectSauron Technical Analysis) |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0041 | Strider |
(Citation: Symantec Strider Blog) (Citation: Kaspersky ProjectSauron Blog) |
References
- Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.