Backdoor.Remsec

#28993 by geoffreyvdb
Tue Aug 09, 2016 3:25 pm

New APT discovered by Kaspersky
Features:

Unique footprint: Core implants that have different file names and sizes and are individually built for each target – making it very difficult to detect since the same basic indicators of compromise would have little value for any other target.
Running in memory: The core implants make use of legitimate software update scripts and work as backdoors, downloading new modules or running commands from the attacker purely in memory.
A bias towards crypto-communicatins: ProjectSauron actively searches for information related to fairly rare, custom network encryption software. This client-server software is widely adopted by many of the target organizations to secure communications, voice, email, and document exchange. The attackers are particularly interested in encryption software components, keys, configuration files, and the location of servers that relay encrypted messages between the nodes.
Script-based flexibility: ProjectSauron has implemented a set of low-level tools which are orchestrated by high-level LUA scripts. The use of LUA components in malware is very rare - it has previously only been spotted in the Flame and Animal Farm attacks.
Bypassing air-gaps: ProjectSauron makes use of specially-prepared USB drives to jump across air-gapped networks. These USB drives carry hidden compartments in which stolen data is concealed.
Multiple exfiltration mechanisms: ProjectSauron implements a number of routes for data exfiltration, including legitimate channels such as email and DNS, with stolen information copied from the victim disguised in day-to-day traffic.

http://www.kaspersky.com/about/news/vir ... jectSauron

http://www.symantec.com/connect/blogs/s ... on-targets
http://www.symantec.com/content/en/us/e ... c_IOCs.pdf
https://www.virustotal.com/en/file/a66b ... /analysis/

The included sample is currently all I can download, there's is more on VT if you search for remsec but I don't have a key

Attachments

a66bfda3d877a216665ebeb4ee3ba5a96d0094fdfd62bc8fe449b326fefc66bf.zip

(130.23 KiB) Downloaded 84 times

Username

geoffreyvdb

Posts

16

Joined

Mon Feb 22, 2016 1:00 pm

Re: Backdoor.Remsec

#29001 by R136a1
Thu Aug 11, 2016 4:08 pm

Files attached.

Attachments

ProjectSauron_driver.zip

PW: infected
(2.2 KiB) Downloaded 80 times

ProjectSauron.zip

PW: infected
(1.99 MiB) Downloaded 106 times

Malware Reversing
http://www.malware-reversing.com

Username

R136a1

Rank

Forum Admin

Posts

272

Joined

Wed Jul 13, 2011 4:30 pm

Location

Netherlands

Re: Backdoor.Remsec

#29009 by CloneRanger
Fri Aug 12, 2016 3:46 pm

Strings in some of the files ?

I am NOT an expert in deconstructing etc malware, or looked at hundreds/thousands as some of you have, but here's just a couple of things i noticed, that may or may not be worth investigating further !

S p i n L o c k - https://en.wikipedia.org/wiki/Spinlock - I havn't seen this before, & seems interesting.

\\.\khips - I couldn't discover much about it. https://duckduckgo.com/html/ - Wanted to Redirect to - http://www.memecenter.com/khips LOL

The only link i found was to, HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\khips - Kerio Firewall

What is \\.\ ?

Malware = If your names not down, you're Not coming in !

Username

CloneRanger

Posts

124

Joined

Sat Aug 14, 2010 11:54 pm