SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remexi (Back to overview)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer


There is no description at this point.

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
Yara Rules
[TLP:WHITE] win_remexi_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 6a00 6a02 c785ccfeffff28010000 ff15???????? }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   6a02                 | push                2
            //   c785ccfeffff28010000     | mov    dword ptr [ebp - 0x134], 0x128
            //   ff15????????         |                     

        $sequence_2 = { 50 a3???????? c705????????02000000 890d???????? ffd6 6a00 }
            // n = 6, score = 200
            //   50                   | push                eax
            //   a3????????           |                     
            //   c705????????02000000     |     
            //   890d????????         |                     
            //   ffd6                 | call                esi
            //   6a00                 | push                0

        $sequence_3 = { e8???????? 6a01 6a00 6a00 ff15???????? 8bf8 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   8bf8                 | mov                 edi, eax

        $sequence_4 = { 6a10 8d4ddc 8bf0 51 56 ff15???????? 85c0 }
            // n = 7, score = 200
            //   6a10                 | push                0x10
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   8bf0                 | mov                 esi, eax
            //   51                   | push                ecx
            //   56                   | push                esi
            //   ff15????????         |                     
            //   85c0                 | test                eax, eax

        $sequence_5 = { ff15???????? 6a10 8d4ddc 8bf0 }
            // n = 4, score = 200
            //   ff15????????         |                     
            //   6a10                 | push                0x10
            //   8d4ddc               | lea                 ecx, [ebp - 0x24]
            //   8bf0                 | mov                 esi, eax

        $sequence_6 = { 68???????? 50 c705????????01000000 c705????????00000000 }
            // n = 4, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   c705????????01000000     |     
            //   c705????????00000000     |     

        $sequence_7 = { 894710 ff15???????? 6a00 6a00 }
            // n = 4, score = 200
            //   894710               | mov                 dword ptr [edi + 0x10], eax
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   6a00                 | push                0

        $sequence_8 = { 50 6a02 ff15???????? 6a10 }
            // n = 4, score = 200
            //   50                   | push                eax
            //   6a02                 | push                2
            //   ff15????????         |                     
            //   6a10                 | push                0x10

        $sequence_9 = { ffd7 56 ffd7 5e b801000000 }
            // n = 5, score = 200
            //   ffd7                 | call                edi
            //   56                   | push                esi
            //   ffd7                 | call                edi
            //   5e                   | pop                 esi
            //   b801000000           | mov                 eax, 1

        $sequence_10 = { 85f6 7513 8b45d8 8b4818 8b5104 50 }
            // n = 6, score = 200
            //   85f6                 | test                esi, esi
            //   7513                 | jne                 0x15
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   8b4818               | mov                 ecx, dword ptr [eax + 0x18]
            //   8b5104               | mov                 edx, dword ptr [ecx + 4]
            //   50                   | push                eax

        $sequence_11 = { 57 ff15???????? 5e 33c0 5f c3 56 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   ff15????????         |                     
            //   5e                   | pop                 esi
            //   33c0                 | xor                 eax, eax
            //   5f                   | pop                 edi
            //   c3                   | ret                 
            //   56                   | push                esi

        $sequence_12 = { 8945e4 8945e8 b802000000 51 668945dc }
            // n = 5, score = 200
            //   8945e4               | mov                 dword ptr [ebp - 0x1c], eax
            //   8945e8               | mov                 dword ptr [ebp - 0x18], eax
            //   b802000000           | mov                 eax, 2
            //   51                   | push                ecx
            //   668945dc             | mov                 word ptr [ebp - 0x24], ax

        $sequence_13 = { 50 ff15???????? 8b0d???????? 8b35???????? 890d???????? }
            // n = 5, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   8b35????????         |                     
            //   890d????????         |                     

        $sequence_14 = { 52 6a00 68ffff1f00 ffd7 8bf0 85f6 }
            // n = 6, score = 200
            //   52                   | push                edx
            //   6a00                 | push                0
            //   68ffff1f00           | push                0x1fffff
            //   ffd7                 | call                edi
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi

        $sequence_15 = { 488d95f8000000 488d4c2460 e8???????? 488b08 48635104 4803d0 f6421006 }
            // n = 7, score = 100
            //   488d95f8000000       | dec                 eax
            //   488d4c2460           | mov                 ecx, ebx
            //   e8????????           |                     
            //   488b08               | dec                 eax
            //   48635104             | lea                 edx, [ebp + 0xf8]
            //   4803d0               | dec                 eax
            //   f6421006             | lea                 ecx, [esp + 0x60]

        $sequence_16 = { 4885db 7473 4c3bcb 776e b801000000 492bc1 }
            // n = 6, score = 100
            //   4885db               | cmp                 dword ptr [esp + 0x98], 0x10
            //   7473                 | jb                  0x18
            //   4c3bcb               | dec                 eax
            //   776e                 | mov                 ecx, dword ptr [esp + 0x80]
            //   b801000000           | test                bl, bl
            //   492bc1               | jne                 0xfffffe26

        $sequence_17 = { 4883bc249800000010 720d 488b8c2480000000 e8???????? 84db 0f8516feffff }
            // n = 6, score = 100
            //   4883bc249800000010     | dec    eax
            //   720d                 | mov                 edx, dword ptr [esp + 0x68]
            //   488b8c2480000000     | dec                 eax
            //   e8????????           |                     
            //   84db                 | mov                 ebx, dword ptr [esp + 0x60]
            //   0f8516feffff         | dec                 eax

        $sequence_18 = { e8???????? 84c0 7418 488b0b 488d5330 4533c9 }
            // n = 6, score = 100
            //   e8????????           |                     
            //   84c0                 | inc                 eax
            //   7418                 | push                ebx
            //   488b0b               | dec                 eax
            //   488d5330             | sub                 esp, 0x20
            //   4533c9               | dec                 eax

        $sequence_19 = { e8???????? 48837f1810 48895f10 0f82d2000000 488b07 e9???????? }
            // n = 6, score = 100
            //   e8????????           |                     
            //   48837f1810           | jb                  0x79
            //   48895f10             | dec                 eax
            //   0f82d2000000         | lea                 edi, [esp + 0x50]
            //   488b07               | dec                 eax
            //   e9????????           |                     

        $sequence_20 = { 488b542468 488b5c2460 488b4c2450 4883ceff 4883fb01 726a 488d7c2450 }
            // n = 7, score = 100
            //   488b542468           | dec                 eax
            //   488b5c2460           | mov                 ecx, dword ptr [eax]
            //   488b4c2450           | dec                 eax
            //   4883ceff             | arpl                word ptr [ecx + 4], dx
            //   4883fb01             | dec                 eax
            //   726a                 | add                 edx, eax
            //   488d7c2450           | test                byte ptr [edx + 0x10], 6

        $sequence_21 = { 488d15e7330100 483305???????? 488bcb 488905???????? ff15???????? }
            // n = 5, score = 100
            //   488d15e7330100       | dec                 eax
            //   483305????????       |                     
            //   488bcb               | lea                 edx, [0x133e7]
            //   488905????????       |                     
            //   ff15????????         |                     

        $sequence_22 = { 4053 4883ec20 488b01 488d9990000000 48634804 }
            // n = 5, score = 100
            //   4053                 | mov                 ecx, dword ptr [esp + 0x50]
            //   4883ec20             | dec                 eax
            //   488b01               | or                  esi, 0xffffffff
            //   488d9990000000       | dec                 eax
            //   48634804             | cmp                 ebx, 1

    condition:
        7 of them and filesize < 614400
}
[TLP:WHITE] win_remexi_w0   (20170410 | No description)
rule win_remexi_w0 {
    meta:
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}
Download all Yara Rules