SYMBOLCOMMON_NAMEaka. SYNONYMS
win.rcs (Back to overview)

RCS

aka: Remote Control System, Crisis

Actor(s): Hacking Team, APT-C-34


There is no description at this point.

References
2020-01-31Virus BulletinMichal Poslušný, Peter Kálnai
@online{poslun:20200131:rich:c25f156, author = {Michal Poslušný and Peter Kálnai}, title = {{Rich Headers: leveraging this mysterious artifact of the PE format}}, date = {2020-01-31}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/}, language = {English}, urldate = {2020-02-03} } Rich Headers: leveraging this mysterious artifact of the PE format
Dridex Exaramel Industroyer Neutrino RCS Sathurbot
2019-11-20360admin001
@online{admin001:20191120:shadow:49b26ff, author = {admin001}, title = {{Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed}}, date = {2019-11-20}, organization = {360}, url = {http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html}, language = {English}, urldate = {2020-01-10} } Shadow of the Circle Hovering Over Central Asia - The Golden Eagle (APT-C-34) Organizing Attack Revealed
RCS APT-C-34
2019-01Virus BulletinFilip Kafka
@online{kafka:201901:vb2018:7d81852, author = {Filip Kafka}, title = {{VB2018 paper: From Hacking Team to hacked team to...?}}, date = {2019-01}, organization = {Virus Bulletin}, url = {https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/}, language = {English}, urldate = {2020-01-13} } VB2018 paper: From Hacking Team to hacked team to...?
RCS
2018-03-09ESET ResearchFilip Kafka
@online{kafka:20180309:new:9d79d4b, author = {Filip Kafka}, title = {{New traces of Hacking Team in the wild}}, date = {2018-03-09}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/}, language = {English}, urldate = {2019-11-14} } New traces of Hacking Team in the wild
RCS Hacking Team
2017-04F-SecureF-Secure Labs
@online{labs:201704:callisto:5e97cb4, author = {F-Secure Labs}, title = {{CALLISTO GROUP}}, date = {2017-04}, organization = {F-Secure}, url = {https://www.f-secure.com/documents/996508/1030745/callisto-group}, language = {English}, urldate = {2019-12-10} } CALLISTO GROUP
RCS Callisto
2012-12-07Contagiodump BlogMila Parkour
@online{parkour:20121207:aug:d59b277, author = {Mila Parkour}, title = {{Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT}}, date = {2012-12-07}, organization = {Contagiodump Blog}, url = {http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html}, language = {English}, urldate = {2019-12-20} } Aug 2012 W32.Crisis and OSX.Crisis - JAR file Samples - APT
Crisis RCS
2012-08-20SymantecTakashi Katsuki
@online{katsuki:20120820:crisis:60cb26b, author = {Takashi Katsuki}, title = {{Crisis for Windows Sneaks onto Virtual Machines}}, date = {2012-08-20}, organization = {Symantec}, url = {https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines}, language = {English}, urldate = {2020-01-10} } Crisis for Windows Sneaks onto Virtual Machines
Crisis RCS
2012-07-24The Mac Security BlogLysa Myers
@online{myers:20120724:new:2dbd887, author = {Lysa Myers}, title = {{New Apple Mac Trojan Called OSX/Crisis Discovered}}, date = {2012-07-24}, organization = {The Mac Security Blog}, url = {https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?}, language = {English}, urldate = {2020-01-09} } New Apple Mac Trojan Called OSX/Crisis Discovered
Crisis RCS
Yara Rules
[TLP:WHITE] win_rcs_auto (20200529 | autogenerated rule brought to you by yara-signator)
rule win_rcs_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-05-30"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.4.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs"
        malpedia_rule_date = "20200529"
        malpedia_hash = "92c362319514e5a6da26204961446caa3a8b32a8"
        malpedia_version = "20200529"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff15???????? 5f 5e 5d 5b 33c0 }
            // n = 6, score = 200
            //   ff15????????         |                     
            //   5f                   | pop                 edi
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   5b                   | pop                 ebx
            //   33c0                 | xor                 eax, eax

        $sequence_1 = { 6880000000 6a01 6a00 6a05 6800000040 }
            // n = 5, score = 200
            //   6880000000           | push                0x80
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a05                 | push                5
            //   6800000040           | push                0x40000000

        $sequence_2 = { 8944245e 89442462 89442466 8944246a }
            // n = 4, score = 200
            //   8944245e             | mov                 dword ptr [esp + 0x5e], eax
            //   89442462             | mov                 dword ptr [esp + 0x62], eax
            //   89442466             | mov                 dword ptr [esp + 0x66], eax
            //   8944246a             | mov                 dword ptr [esp + 0x6a], eax

        $sequence_3 = { e8???????? 83c430 6aff 68???????? }
            // n = 4, score = 200
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   6aff                 | push                -1
            //   68????????           |                     

        $sequence_4 = { 40 68???????? 50 e8???????? 83c40c eb0d }
            // n = 6, score = 200
            //   40                   | inc                 eax
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   eb0d                 | jmp                 0xf

        $sequence_5 = { ff15???????? 85c0 740d ff15???????? 33c0 }
            // n = 5, score = 200
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax
            //   740d                 | je                  0xf
            //   ff15????????         |                     
            //   33c0                 | xor                 eax, eax

        $sequence_6 = { 899538f4fbff b818000000 89853cf4fbff 8b8d40f4fbff 0fb7896c020000 f7e1 898534f4fbff }
            // n = 7, score = 100
            //   899538f4fbff         | mov                 dword ptr [ebp - 0x40bc8], edx
            //   b818000000           | mov                 eax, 0x18
            //   89853cf4fbff         | mov                 dword ptr [ebp - 0x40bc4], eax
            //   8b8d40f4fbff         | mov                 ecx, dword ptr [ebp - 0x40bc0]
            //   0fb7896c020000       | movzx               ecx, word ptr [ecx + 0x26c]
            //   f7e1                 | mul                 ecx
            //   898534f4fbff         | mov                 dword ptr [ebp - 0x40bcc], eax

        $sequence_7 = { 8d7c3718 897df8 eb2a 8b7d08 8bbfdc000000 }
            // n = 5, score = 100
            //   8d7c3718             | lea                 edi, [edi + esi + 0x18]
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   eb2a                 | jmp                 0x2c
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bbfdc000000         | mov                 edi, dword ptr [edi + 0xdc]

        $sequence_8 = { 85c0 0f85dd000000 3905???????? 0f84c6000000 a1???????? }
            // n = 5, score = 100
            //   85c0                 | test                eax, eax
            //   0f85dd000000         | jne                 0xe3
            //   3905????????         |                     
            //   0f84c6000000         | je                  0xcc
            //   a1????????           |                     

        $sequence_9 = { b828000000 f765fc 8945e8 8b7de8 037df8 }
            // n = 5, score = 100
            //   b828000000           | mov                 eax, 0x28
            //   f765fc               | mul                 dword ptr [ebp - 4]
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   8b7de8               | mov                 edi, dword ptr [ebp - 0x18]
            //   037df8               | add                 edi, dword ptr [ebp - 8]

        $sequence_10 = { 8b7df0 8b7f0c 83c714 897df8 8b7df8 8b3f }
            // n = 6, score = 100
            //   8b7df0               | mov                 edi, dword ptr [ebp - 0x10]
            //   8b7f0c               | mov                 edi, dword ptr [edi + 0xc]
            //   83c714               | add                 edi, 0x14
            //   897df8               | mov                 dword ptr [ebp - 8], edi
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   8b3f                 | mov                 edi, dword ptr [edi]

        $sequence_11 = { ff565c eb46 8bbd48f4fbff 83c702 8b96dc000000 ffb4ba70020000 }
            // n = 6, score = 100
            //   ff565c               | call                dword ptr [esi + 0x5c]
            //   eb46                 | jmp                 0x48
            //   8bbd48f4fbff         | mov                 edi, dword ptr [ebp - 0x40bb8]
            //   83c702               | add                 edi, 2
            //   8b96dc000000         | mov                 edx, dword ptr [esi + 0xdc]
            //   ffb4ba70020000       | push                dword ptr [edx + edi*4 + 0x270]

        $sequence_12 = { 8b955cf4fbff 01c2 83ea04 899405a4f9fbff }
            // n = 4, score = 100
            //   8b955cf4fbff         | mov                 edx, dword ptr [ebp - 0x40ba4]
            //   01c2                 | add                 edx, eax
            //   83ea04               | sub                 edx, 4
            //   899405a4f9fbff       | mov                 dword ptr [ebp + eax - 0x4065c], edx

        $sequence_13 = { e8???????? 83c40c 8b7d08 8bbfdc000000 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   8bbfdc000000         | mov                 edi, dword ptr [edi + 0xdc]

        $sequence_14 = { 4e 83cefc 46 7416 42 8bf2 }
            // n = 6, score = 100
            //   4e                   | dec                 esi
            //   83cefc               | or                  esi, 0xfffffffc
            //   46                   | inc                 esi
            //   7416                 | je                  0x18
            //   42                   | inc                 edx
            //   8bf2                 | mov                 esi, edx

        $sequence_15 = { 83c408 8945f4 8b7df8 ff7720 }
            // n = 4, score = 100
            //   83c408               | add                 esp, 8
            //   8945f4               | mov                 dword ptr [ebp - 0xc], eax
            //   8b7df8               | mov                 edi, dword ptr [ebp - 8]
            //   ff7720               | push                dword ptr [edi + 0x20]

        $sequence_16 = { 52 d6 3cc3 256c6dcabc fa 5d cdcb }
            // n = 7, score = 100
            //   52                   | push                edx
            //   d6                   | salc                
            //   3cc3                 | cmp                 al, 0xc3
            //   256c6dcabc           | and                 eax, 0xbcca6d6c
            //   fa                   | cli                 
            //   5d                   | pop                 ebp
            //   cdcb                 | int                 0xcb

        $sequence_17 = { 56 c744240cf32681c4 c74424103986db92 c744241471a3b9e6 }
            // n = 4, score = 100
            //   56                   | push                esi
            //   c744240cf32681c4     | mov                 dword ptr [esp + 0xc], 0xc48126f3
            //   c74424103986db92     | mov                 dword ptr [esp + 0x10], 0x92db8639
            //   c744241471a3b9e6     | mov                 dword ptr [esp + 0x14], 0xe6b9a371

    condition:
        7 of them and filesize < 11501568
}
[TLP:WHITE] win_rcs_w0   (20170521 | Hacking Team Disclosure Sample - file elevator.exe)
rule win_rcs_w0 {
	meta:
		description = "Hacking Team Disclosure Sample - file elevator.exe"
		author = "Florian Roth"
		reference = "Hacking Team Disclosure elevator.c"
		date = "2015-07-07"
		hash1 = "40a10420b9d49f87527bc0396b19ec29e55e9109e80b52456891243791671c1c"
		hash2 = "92aec56a859679917dffa44bd4ffeb5a8b2ee2894c689abbbcbe07842ec56b8d"
		hash = "9261693b67b6e379ad0e57598602712b8508998c0cb012ca23139212ae0009a1"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs"
        malpedia_version = "20170521"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$x1 = "CRTDLL.DLL" fullword ascii
		$x2 = "\\sysnative\\CI.dll" fullword ascii
		$x3 = "\\SystemRoot\\system32\\CI.dll" fullword ascii
		$x4 = "C:\\\\Windows\\\\Sysnative\\\\ntoskrnl.exe" fullword ascii /* PEStudio Blacklist: strings */

		$s1 = "[*] traversing processes" fullword ascii /* PEStudio Blacklist: strings */
		$s2 = "_getkprocess" fullword ascii /* PEStudio Blacklist: strings */
		$s3 = "[*] LoaderConfig %p" fullword ascii /* PEStudio Blacklist: strings */
		$s4 = "loader.obj" fullword ascii /* PEStudio Blacklist: strings */
		$s5 = "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3" ascii /* PEStudio Blacklist: strings */
		$s6 = "[*] token restore" fullword ascii /* PEStudio Blacklist: strings */
		$s7 = "elevator.obj" fullword ascii
		$s8 = "_getexport" fullword ascii /* PEStudio Blacklist: strings */
	condition:
		uint16(0) == 0x5a4d and filesize < 3000KB and all of ($x*) and 3 of ($s*)
}
[TLP:WHITE] win_rcs_w1   (20170521 | Hacking Team Disclosure Sample - file ndisk.sys)
rule win_rcs_w1 {
	meta:
		description = "Hacking Team Disclosure Sample - file ndisk.sys"
		author = "Florian Roth"
		reference = "https://www.virustotal.com/en/file/a03a6ed90b89945a992a8c69f716ec3c743fa1d958426f4c50378cca5bef0a01/analysis/1436184181/"
		date = "2015-07-07"
		hash = "cf5089752ba51ae827971272a5b761a4ab0acd84"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs"
        malpedia_version = "20170521"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
	strings:
		$s1 = "\\Registry\\Machine\\System\\ControlSet00%d\\services\\ndisk.sys" fullword wide 
		$s2 = "\\Registry\\Machine\\System\\ControlSet00%d\\Enum\\Root\\LEGACY_NDISK.SYS" fullword wide 
		$s3 = "\\Driver\\DeepFrz" fullword wide
		$s4 = "Microsoft Kernel Disk Manager" fullword wide 
		$s5 = "ndisk.sys" fullword wide
		$s6 = "\\Device\\MSH4DEV1" fullword wide
		$s7 = "\\DosDevices\\MSH4DEV1" fullword wide
		$s8 = "built by: WinDDK" fullword wide
	condition:
		uint16(0) == 0x5a4d and filesize < 30KB and 6 of them
}
Download all Yara Rules