HKTL_REMOSH
Redsip, NightDragon, NDragon
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Hacking Tool
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Downloaded from the Internet, Dropped by other malware
REMOSH is known as part of the Night Dragon attack in 2011. It targets mostly networks that belong to energy companies.
It is a backdoor-hacking tool combination. The hacking tool acts as a Trojan builder and a command-and-control (C&C) interface for the generated backdoor components. REMOSH enumerates processes and services running on affected computers. it can also do the following:
- Capture screenshots
- Create and delete files
- Enumerate files
- Enumerate sessions to determine logged-in user
- Execute processes
- Get drive information, such as type, free space, and name
- Run remote command shell
- Send and receive files
- Uninstall itself
REMOSH also steals system information such as computer name, operating system, and processor information. The stolen information is then fed back to its C&C servers.
TECHNICAL DETAILS
Connects to URLs/IPs, Steals information
Installation
This hacking tool drops the following files:
- %System%\Connect.dll
- %System%\Startup.dll
- {malware path}\HostID.DAT
- {malware path}\Server.exe
- {malware path}\Server.dll
- {remote user specified path}\{remote user specified file name}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This hacking tool adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}\Parameters
ServiceDLL = "%System%\{malware file name}"
Other System Modifications
This hacking tool adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
install = "%System%"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost
ImagePath = "%System Root%\System32\svchost.exe -k CryptHost "
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
connect1 = "shell.{BLOCKED}f.com"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost\Parameters
ServiceDll = "%System%\Startup.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
CryptHost = "CryptHost"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PolicyAgent
Start = "4"
(Note: The default value data of the said registry entry is 2.)
Other Details
This hacking tool connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.82.50
- {BLOCKED}.{BLOCKED}.82.25
- shell.{BLOCKED}f.com
- shell.{BLOCKED}-the.net