Skip to content

S0125 Remsec

Remsec is a modular backdoor that has been used by Strider and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. 1

Item Value
ID S0125
Associated Names ProjectSauron
Version 1.1
Created 31 May 2017
Last Modified 28 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
ProjectSauron ProjectSauron is used to refer both to the threat group also known as G0041 as well as the malware platform also known as S0125. 2

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Remsec can obtain a list of users.4
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Remsec is capable of using HTTP and HTTPS for C2.354
enterprise T1071.003 Mail Protocols Remsec is capable of using SMTP for C2.354
enterprise T1071.004 DNS Remsec is capable of using DNS for C2.354
enterprise T1025 Data from Removable Media Remsec has a package that collects documents from any inserted USB sticks.4
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Remsec can exfiltrate data via a DNS tunnel or email, separately from its C2 channel.5
enterprise T1052 Exfiltration Over Physical Medium -
enterprise T1052.001 Exfiltration over USB Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.5
enterprise T1068 Exploitation for Privilege Escalation Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.4
enterprise T1083 File and Directory Discovery Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.354
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.4
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion Remsec is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data.354
enterprise T1105 Ingress Tool Transfer Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.34
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging Remsec contains a keylogger component.34
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location The Remsec loader implements itself with the name Security Support Provider, a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.35
enterprise T1556 Modify Authentication Process -
enterprise T1556.002 Password Filter DLL Remsec harvests plain-text credentials as a password filter registered on domain controllers.5
enterprise T1046 Network Service Discovery Remsec has a plugin that can perform ARP scanning as well as port scanning.4
enterprise T1095 Non-Application Layer Protocol Remsec is capable of using ICMP, TCP, and UDP for C2.35
enterprise T1027 Obfuscated Files or Information Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.34
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Remsec can dump the SAM database.4
enterprise T1057 Process Discovery Remsec can obtain a process list from the victim.4
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection Remsec can perform DLL injection.4
enterprise T1018 Remote System Discovery Remsec can ping or traceroute a remote host.4
enterprise T1053 Scheduled Task/Job Remsec schedules the execution one of its modules by creating a new scheduler task.4
enterprise T1518 Software Discovery -
enterprise T1518.001 Security Software Discovery Remsec has a plugin to detect active drivers of some security products.4
enterprise T1082 System Information Discovery Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.4
enterprise T1016 System Network Configuration Discovery Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.4
enterprise T1049 System Network Connections Discovery Remsec can obtain a list of active connections and open ports.4
enterprise T1033 System Owner/User Discovery Remsec can obtain information about the current user.4

Groups That Use This Software

ID Name References
G0041 Strider 12


Back to top