REMOSH
Redsip, NightDragon, NDragon
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Backdoor
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
REMOSH is known as part of the Night Dragon attack in 2011. It targets mostly networks that belong to energy companies.
It is a backdoor-hacking tool combination. The hacking tool acts as a Trojan builder and a command-and-control (C&C) interface for the generated backdoor components. REMOSH enumerates processes and services running on affected computers. it can also do the following:
- Capture screenshots
- Create and delete files
- Enumerate files
- Enumerate sessions to determine logged-in user
- Execute processes
- Get drive information, such as type, free space, and name
- Run remote command shell
- Send and receive files
- Uninstall itself
REMOSH also steals system information such as computer name, operating system, and processor information. The stolen information is then fed back to its C&C servers.
TECHNICAL DETAILS
Installation
This backdoor drops the following files:
- %System%\Connect.dll
- %System%\Startup.dll
- {malware path}\HostID.DAT
- {malware path}\Server.exe
- {malware path}\Server.dll
- {remote user specified path}\{remote user specified file name}.dll
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}\Parameters
ServiceDLL = "%System%\{malware file name}"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
install = "%System%"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost
ImagePath = "%System Root%\System32\svchost.exe -k CryptHost "
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
connect1 = "shell.{BLOCKED}f.com"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost\Parameters
ServiceDll = "%System%\Startup.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
CryptHost = "CryptHost"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PolicyAgent
Start = "4"
(Note: The default value data of the said registry entry is 2.)
Other Details
This backdoor connects to the following possibly malicious URL:
- {BLOCKED}.{BLOCKED}.82.50
- {BLOCKED}.{BLOCKED}.82.25
- shell.{BLOCKED}f.com
- shell.{BLOCKED}-the.net