Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Инструмент RCSession
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Инструмент
RCSession
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

RCSession

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro Iron Tiger April 2021)(Citation: Trend Micro DRBControl February 2020)
ID: S0662
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 19 Nov 2021
Last Modified: 15 Apr 2022

Techniques Used
Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

RCSession can bypass UAC to escalate privileges.(Citation: Trend Micro DRBControl February 2020)
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RCSession can use HTTP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RCSession has the ability to modify a Registry Run key to establish persistence.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RCSession can use `cmd.exe` for execution on compromised hosts.(Citation: Trend Micro DRBControl February 2020)
Enterprise T1574 .002 Hijack Execution Flow: DLL Side-Loading

RCSession can be installed via DLL side-loading.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
Enterprise T1070 .004 Indicator Removal: File Deletion

RCSession can remove files from a targeted system.(Citation: Profero APT27 December 2020)
Enterprise T1056 .001 Input Capture: Keylogging

RCSession has the ability to capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
Enterprise T1055 .012 Process Injection: Process Hollowing

RCSession can launch itself from a hollowed svchost.exe process.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
Enterprise T1218 .007 System Binary Proxy Execution: Msiexec

RCSession has the ability to execute inside the msiexec.exe process.(Citation: Profero APT27 December 2020)

Groups That Use This Software
ID Name References
G0027 Threat Group-3390

(Citation: Trend Micro Iron Tiger April 2021) (Citation: Trend Micro DRBControl February 2020) (Citation: Profero APT27 December 2020)

G0129 Mustang Panda

(Citation: Secureworks BRONZE PRESIDENT December 2019)

References

  1. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  3. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  4. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.