Analysis by: Roland Marco Dela Paz

ALIASES:

Redsip, NightDragon, NDragon

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Hacking Tool

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Downloaded from the Internet, Dropped by other malware

REMOSH is known as part of the Night Dragon attack in 2011. It targets mostly networks that belong to energy companies.

It is a backdoor-hacking tool combination. The hacking tool acts as a Trojan builder and a command-and-control (C&C) interface for the generated backdoor components. REMOSH enumerates processes and services running on affected computers. it can also do the following:

  • Capture screenshots

  • Create and delete files

  • Enumerate files

  • Enumerate sessions to determine logged-in user

  • Execute processes

  • Get drive information, such as type, free space, and name

  • Run remote command shell

  • Send and receive files

  • Uninstall itself

REMOSH also steals system information such as computer name, operating system, and processor information. The stolen information is then fed back to its C&C servers.

  TECHNICAL DETAILS

Payload: Connects to URLs/IPs, Steals information

Installation

This hacking tool drops the following files:

  • %System%\Connect.dll
  • %System%\Startup.dll
  • {malware path}\HostID.DAT
  • {malware path}\Server.exe
  • {malware path}\Server.dll
  • {remote user specified path}\{remote user specified file name}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Autostart Technique

This hacking tool adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}\Parameters
ServiceDLL = "%System%\{malware file name}"

Other System Modifications

This hacking tool adds the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\RAT
install = "%System%"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost
ImagePath = "%System Root%\System32\svchost.exe -k CryptHost "

HKEY_LOCAL_MACHINE\SOFTWARE\RAT
connect1 = "shell.{BLOCKED}f.com"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost\Parameters
ServiceDll = "%System%\Startup.dll"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
CryptHost = "CryptHost"

It modifies the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PolicyAgent
Start = "4"

(Note: The default value data of the said registry entry is 2.)

Other Details

This hacking tool connects to the following possibly malicious URL:

  • {BLOCKED}.{BLOCKED}.82.50
  • {BLOCKED}.{BLOCKED}.82.25
  • shell.{BLOCKED}f.com
  • shell.{BLOCKED}-the.net