Skip to content

S0662 RCSession

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).123

Item Value
ID S0662
Associated Names
Type MALWARE
Version 1.1
Created 19 November 2021
Last Modified 26 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1548 Abuse Elevation Control Mechanism -
enterprise T1548.002 Bypass User Account Control RCSession can bypass UAC to escalate privileges.3
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RCSession can use HTTP in C2 communications.34
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RCSession has the ability to modify a Registry Run key to establish persistence.34
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RCSession can use cmd.exe for execution on compromised hosts.3
enterprise T1005 Data from Local System RCSession can collect data from a compromised host.43
enterprise T1573 Encrypted Channel RCSession can use an encrypted beacon to check in with C2.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.002 DLL Side-Loading RCSession can be installed via DLL side-loading.134
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion RCSession can remove files from a targeted system.4
enterprise T1105 Ingress Tool Transfer RCSession has the ability to drop additional files to an infected machine.4
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging RCSession has the ability to capture keystrokes on a compromised host.34
enterprise T1036 Masquerading RCSession has used a file named English.rtf to appear benign on victim hosts.13
enterprise T1112 Modify Registry RCSession can write its configuration file to the Registry.34
enterprise T1106 Native API RCSession can use WinSock API for communication including WSASend and WSARecv.4
enterprise T1095 Non-Application Layer Protocol RCSession has the ability to use TCP and UDP in C2 communications.34
enterprise T1027 Obfuscated Files or Information RCSession can compress and obfuscate its strings to evade detection on a compromised host.3
enterprise T1027.011 Fileless Storage RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus.34
enterprise T1057 Process Discovery RCSession can identify processes based on PID.4
enterprise T1055 Process Injection -
enterprise T1055.012 Process Hollowing RCSession can launch itself from a hollowed svchost.exe process.134
enterprise T1113 Screen Capture RCSession can capture screenshots from a compromised host.4
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.007 Msiexec RCSession has the ability to execute inside the msiexec.exe process.4
enterprise T1082 System Information Discovery RCSession can gather system information from a compromised host.4
enterprise T1033 System Owner/User Discovery RCSession can gather system owner information, including user and administrator privileges.4

Groups That Use This Software

ID Name References
G0129 Mustang Panda 1
G0027 Threat Group-3390 234

References

  1. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. 

  3. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. 

  4. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.