1. Home
  2. Software
  3. RCSession

RCSession

RCSession is a backdoor written in C++ that has been in use since at least 2018 by Mustang Panda and by Threat Group-3390 (Type II Backdoor).[1][2][3]

ID: S0662
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 19 November 2021
Last Modified: 11 April 2024
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1005 从本地系统获取数据

RCSession can collect data from a compromised host.[4][3]
Enterprise T1036 伪装

RCSession has used a file named English.rtf to appear benign on victim hosts.[1][3]
Enterprise T1112 修改注册表

RCSession can write its configuration file to the Registry.[3][4]
Enterprise T1573 加密通道

RCSession can use an encrypted beacon to check in with C2.[1]
Enterprise T1574 .002 劫持执行流: DLL Side-Loading

RCSession can be installed via DLL side-loading.[1][3][4]
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

RCSession has the ability to modify a Registry Run key to establish persistence.[3][4]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

RCSession can use cmd.exe for execution on compromised hosts.[3]
Enterprise T1113 屏幕捕获

RCSession can capture screenshots from a compromised host.[4]
Enterprise T1071 .001 应用层协议: Web Protocols

RCSession can use HTTP in C2 communications.[3][4]
Enterprise T1106 本机API

RCSession can use WinSock API for communication including WSASend and WSARecv.[4]
Enterprise T1027 .011 混淆文件或信息: Fileless Storage

RCSession can store its obfuscated configuration file in the Registry under HKLM\SOFTWARE\Plus or HKCU\SOFTWARE\Plus.[3][4]
.013 混淆文件或信息: Encrypted/Encoded File

RCSession can compress and obfuscate its strings to evade detection on a compromised host.[3]
Enterprise T1548 .002 滥用权限提升控制机制: Bypass User Account Control

RCSession can bypass UAC to escalate privileges.[3]
Enterprise T1070 .004 移除指标: File Deletion

RCSession can remove files from a targeted system.[4]
Enterprise T1218 .007 系统二进制代理执行: Msiexec

RCSession has the ability to execute inside the msiexec.exe process.[4]
Enterprise T1082 系统信息发现

RCSession can gather system information from a compromised host.[4]
Enterprise T1033 系统所有者/用户发现

RCSession can gather system owner information, including user and administrator privileges.[4]
Enterprise T1105 输入工具传输

RCSession has the ability to drop additional files to an infected machine.[4]
Enterprise T1056 .001 输入捕获: Keylogging

RCSession has the ability to capture keystrokes on a compromised host.[3][4]
Enterprise T1057 进程发现

RCSession can identify processes based on PID.[4]
Enterprise T1055 .012 进程注入: Process Hollowing

RCSession can launch itself from a hollowed svchost.exe process.[1][3][4]
Enterprise T1095 非应用层协议

RCSession has the ability to use TCP and UDP in C2 communications.[3][4]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390

[2][3][4]
G0129 Mustang Panda

[1]

References

  1. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  2. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  1. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  2. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.