S0375 Remexi
Remexi is a Windows-based Trojan that was developed in the C programming language.1
| Item | Value |
|---|---|
| ID | S0375 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 17 April 2019 |
| Last Modified | 30 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Remexi uses BITSAdmin to communicate with the C2 server over HTTP.1 |
| enterprise | T1010 | Application Window Discovery | Remexi has a command to capture active windows on the machine and retrieve window titles.1 |
| enterprise | T1560 | Archive Collected Data | Remexi encrypts and adds all gathered browser data into files for upload to C2.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.1 |
| enterprise | T1547.004 | Winlogon Helper DLL | Remexi achieves persistence using Userinit by adding the Registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit.1 |
| enterprise | T1115 | Clipboard Data | Remexi collects text from the clipboard.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Remexi silently executes received commands with cmd.exe.1 |
| enterprise | T1059.005 | Visual Basic | Remexi uses AutoIt and VBS scripts throughout its execution process.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Remexi decrypts the configuration data using XOR with 25-character keys.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.1 |
| enterprise | T1083 | File and Directory Discovery | Remexi searches for files on the system. 1 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.001 | Keylogging | Remexi gathers and exfiltrates keystrokes from the machine.1 |
| enterprise | T1027 | Obfuscated Files or Information | Remexi obfuscates its configuration data with XOR.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Remexi utilizes scheduled tasks as a persistence mechanism.1 |
| enterprise | T1113 | Screen Capture | Remexi takes screenshots of windows of interest.1 |
| enterprise | T1047 | Windows Management Instrumentation | Remexi executes received commands with wmic.exe (for WMI commands). 1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0087 | APT39 | 213 |
References
-
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019. ↩
-
Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. ↩