Remsec is a backdoor malware used by the threat group Strider and for espionage purposes. It has been spotted with the following aliases: Backdoor.Remsec, ProjectSauron. It can obtain information about the current user, list contents of folders on the victim, search for custom network encryption software on victims, delete files on the victim, and securely remove itself after collecting and exfiltrating data.
Remsec Malware Capabilities
- Remsec may register malicious password filter dynamic link libraries into the authentication process to acquire user credentials as they are validated.Remsec may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network.Remsec may use various techniques to evade detection and/or elevate privileges, including DLL injection, C2 over non-standard ports, and matching or approximating the name or location of legitimate files or resources. Remsec may also attempt to get information about running processes and network connections, as well as detailed information about the operating system and hardware.Remsec may attempt to extract credential material from the Security Account Manager database either through in-memory techniques or through the Windows Registry where the SAM database is stored.
- Remsec may exploit software vulnerabilities in an attempt to elevate privileges. Additionally, Remsec may register malicious password filter dynamic link libraries into the authentication process to acquire user credentials as they are validated. Furthermore, Remsec may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network.
- Remsec is a malware that may use DLL injection to evade process-based defenses and elevate privileges. It may also use application layer protocols associated with web traffic to avoid detection and network filtering. Lastly, it may communicate over a non-standard port to bypass proxies and firewalls.
- Remsec may use various methods to evade detection and observation, including naming files and resources similarly to legitimate ones, using known encryption algorithms, and scanning for vulnerable services.
- Remsec may attempt to get information about running processes on a system and a listing of network connections to or from the compromised system or from remote systems by querying for information over the network. Finally, Remsec may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. This information may also be used to shape follow-on behaviors.
- The Remsec malware may use various methods to communicate with a remote system, including the Domain Name System (DNS) application layer protocol and electronic mail delivery. Commands to the remote system, and often the results of those commands, are embedded within the protocol traffic between the client and server. In order to bypass controls limiting network usage, Remsec may disable or modify system firewalls.
- Remsec may use task scheduling functionality to facilitate initial or recurring execution of malicious code. They may also look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Finally, Remsec may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel.
- Remsec may use a custom command and control protocol to communicate with victim devices. This protocol may be used to transfer files or tools between systems, or to get a listing of local system accounts.
Ways to Mitigate Remsec Malware Attacks Capabilities
- The Remsec malware can be mitigated by monitoring processes and command-line arguments. Additionally, data may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.
- The Remsec malware can be mitigated by keyloggers, API calls, and command-line deletion functions. However, detection of file obfuscation is difficult.
- There are several ways to mitigate Remsec malware attacks, including detecting and preventing software exploitation, and monitoring for suspicious behavior or new, unfamiliar files.
- The Remsec malware attack can be mitigated in a few ways. One way is to monitor Windows API calls that may be indicative of code injection. Another way is to analyze network data for uncommon data flows. Finally, analyzing packet contents for communications that do not follow the expected protocol behavior can also help to mitigate this type of attack.
- The Remsec malware can be mitigated by collecting file hashes, performing file monitoring, and SSL/TLS inspection. System and network discovery techniques can also help to identify potential Remsec malware activity.
- The Remsec malware can be mitigated by keeping track of system and network activity and data, as well as by viewing events in the context of other potential activity. This will help to spot potential lateral movement by the adversary and take appropriate action.
- The Remsec malware can be used to attack systems by stealing information from account passwords. Hash dumpers can be used to access the passwords, and processes that execute when removable media are mounted can be detected. System and network discovery techniques can be used to identify potential areas of attack.
- The Remsec malware can be mitigated by analyzing network data for uncommon data flows, monitoring processes and command-line arguments, and registry edits. These unusual activities could be indicative of an attack and should be investigated further.
- The Remsec malware can be mitigated by monitoring scheduled task creation, looking for changes to tasks that do not correlate with known software, and analyzing network data for uncommon data flows.
- The Remsec malware can be mitigated by monitoring for file creation and files transferred into the network. Unusual processes with external network connections.