S0125 Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. ²

Item	Value
ID	S0125
Associated Names	ProjectSauron
Type	MALWARE
Version	1.2
Created	31 May 2017
Last Modified	28 March 2023
Navigation Layer	View In ATT&CK® Navigator

Associated Software Descriptions

Name	Description
ProjectSauron	ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. ¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1087	Account Discovery	-
enterprise	T1087.001	Local Account	Remsec can obtain a list of users.⁵
enterprise	T1071	Application Layer Protocol	-
enterprise	T1071.001	Web Protocols	Remsec is capable of using HTTP and HTTPS for C2.³⁴⁵
enterprise	T1071.003	Mail Protocols	Remsec is capable of using SMTP for C2.³⁴⁵
enterprise	T1071.004	DNS	Remsec is capable of using DNS for C2.³⁴⁵
enterprise	T1025	Data from Removable Media	Remsec has a package that collects documents from any inserted USB sticks.⁵
enterprise	T1652	Device Driver Discovery	Remsec has a plugin to detect active drivers of some security products.⁵
enterprise	T1048	Exfiltration Over Alternative Protocol	-
enterprise	T1048.003	Exfiltration Over Unencrypted Non-C2 Protocol	Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.⁴
enterprise	T1052	Exfiltration Over Physical Medium	-
enterprise	T1052.001	Exfiltration over USB	Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.⁴
enterprise	T1068	Exploitation for Privilege Escalation	Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.⁵
enterprise	T1083	File and Directory Discovery	Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.³⁴⁵
enterprise	T1562	Impair Defenses	-
enterprise	T1562.004	Disable or Modify System Firewall	Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.⁵
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.³⁴⁵
enterprise	T1105	Ingress Tool Transfer	Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.³⁵
enterprise	T1056	Input Capture	-
enterprise	T1056.001	Keylogging	Remsec contains a keylogger component.³⁵
enterprise	T1036	Masquerading	-
enterprise	T1036.005	Match Legitimate Name or Location	The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.³⁴
enterprise	T1556	Modify Authentication Process	-
enterprise	T1556.002	Password Filter DLL	Remsec harvests plain-text credentials as a password filter registered on domain controllers.⁴
enterprise	T1046	Network Service Discovery	Remsec has a plugin that can perform ARP scanning as well as port scanning.⁵
enterprise	T1095	Non-Application Layer Protocol	Remsec is capable of using ICMP, TCP, and UDP for C2.³⁴
enterprise	T1027	Obfuscated Files or Information	Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.³⁵
enterprise	T1003	OS Credential Dumping	-
enterprise	T1003.002	Security Account Manager	Remsec can dump the SAM database.⁵
enterprise	T1057	Process Discovery	Remsec can obtain a process list from the victim.⁵
enterprise	T1055	Process Injection	-
enterprise	T1055.001	Dynamic-link Library Injection	Remsec can perform DLL injection.⁵
enterprise	T1018	Remote System Discovery	Remsec can ping or traceroute a remote host.⁵
enterprise	T1053	Scheduled Task/Job	Remsec schedules the execution one of its modules by creating a new scheduler task.⁵
enterprise	T1518	Software Discovery	-
enterprise	T1518.001	Security Software Discovery	Remsec has a plugin detect security products via active drivers.⁵
enterprise	T1082	System Information Discovery	Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.⁵
enterprise	T1016	System Network Configuration Discovery	Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.⁵
enterprise	T1049	System Network Connections Discovery	Remsec can obtain a list of active connections and open ports.⁵
enterprise	T1033	System Owner/User Discovery	Remsec can obtain information about the current user.⁵

Groups That Use This Software

ID	Name	References
G0041	Strider	²¹

References

Kaspersky Lab’s Global Research & Analysis Team. (2016, August 8). ProjectSauron: top level cyber-espionage platform covertly extracts encrypted government comms. Retrieved August 17, 2016. ↩↩
Symantec Security Response. (2016, August 7). Strider: Cyberespionage group turns eye of Sauron on targets. Retrieved August 17, 2016. ↩↩
Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. ↩↩↩↩↩↩↩↩↩↩
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016. ↩↩↩↩↩↩↩↩↩↩
Kaspersky Lab’s Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩