Remexi
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.(Citation: Securelist Remexi Jan 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.(Citation: Securelist Remexi Jan 2019) |
.004 | Boot or Logon Autostart Execution: Winlogon Helper DLL |
Remexi achieves persistence using Userinit by adding the Registry key |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Remexi silently executes received commands with cmd.exe.(Citation: Securelist Remexi Jan 2019) |
.005 | Command and Scripting Interpreter: Visual Basic |
Remexi uses AutoIt and VBS scripts throughout its execution process.(Citation: Securelist Remexi Jan 2019) |
||
Enterprise | T1056 | .001 | Input Capture: Keylogging |
Remexi gathers and exfiltrates keystrokes from the machine.(Citation: Securelist Remexi Jan 2019) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Remexi obfuscates its configuration data with XOR.(Citation: Securelist Remexi Jan 2019) |
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Remexi utilizes scheduled tasks as a persistence mechanism.(Citation: Securelist Remexi Jan 2019) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0087 | APT39 |
(Citation: Symantec Chafer Dec 2015) (Citation: Securelist Remexi Jan 2019) (Citation: Symantec Chafer February 2018) |
References
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.