SYMBOLCOMMON_NAMEaka. SYNONYMS
win.remexi (Back to overview)

Remexi

aka: CACHEMONEY

Actor(s): APT39, Chafer


Remexi is a highly advanced and stealthy malware discovered in recent times. It employs sophisticated evasion techniques to infiltrate target systems and networks undetected. This malware utilizes various propagation vectors, including exploit kits, social engineering tactics, and compromised websites. Once inside a system, Remexi establishes persistence through rootkit capabilities and leverages coAmmand-and-control infrastructure to receive and execute malicious commands. It possesses keylogging and data exfiltration capabilities, enabling it to steal sensitive information such as login credentials and financial data. Additionally, Remexi can download and execute additional payloads, making it adaptable and capable of evolving its malicious activities over time.

References
2020-05-21BitdefenderLiviu Arsene, Bogdan Rusu
@techreport{arsene:20200521:iranian:d9e1468, author = {Liviu Arsene and Bogdan Rusu}, title = {{Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia}}, date = {2020-05-21}, institution = {Bitdefender}, url = {https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf}, language = {English}, urldate = {2020-05-23} } Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia
MimiKatz Remexi
2020SecureworksSecureWorks
@online{secureworks:2020:cobalt:c242388, author = {SecureWorks}, title = {{COBALT HICKMAN}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/cobalt-hickman}, language = {English}, urldate = {2020-05-23} } COBALT HICKMAN
MimiKatz Remexi APT39
2019-02-14Twitter (@QW5kcmV3)Andrew Thompson
@online{thompson:20190214:unpacking:1ff2299, author = {Andrew Thompson}, title = {{Tweet on unpacking Remexi payload}}, date = {2019-02-14}, organization = {Twitter (@QW5kcmV3)}, url = {https://twitter.com/QW5kcmV3/status/1095833216605401088}, language = {English}, urldate = {2020-01-27} } Tweet on unpacking Remexi payload
Remexi
2019-01-30Kaspersky LabsDenis Legezo
@online{legezo:20190130:chafer:bb3ce4d, author = {Denis Legezo}, title = {{Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities}}, date = {2019-01-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/chafer-used-remexi-malware/89538/}, language = {English}, urldate = {2019-12-20} } Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities
Remexi APT39
2018-02-28SymantecSecurity Response Attack Investigation Team
@online{team:20180228:chafer:552bafb, author = {Security Response Attack Investigation Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-01-09} } Chafer: Latest Attacks Reveal Heightened Ambitions
Remexi APT39
2018-02-28SymantecCritical Attack Discovery and Intelligence Team
@online{team:20180228:chafer:5b5b77b, author = {Critical Attack Discovery and Intelligence Team}, title = {{Chafer: Latest Attacks Reveal Heightened Ambitions}}, date = {2018-02-28}, organization = {Symantec}, url = {https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions}, language = {English}, urldate = {2020-04-21} } Chafer: Latest Attacks Reveal Heightened Ambitions
MimiKatz Remexi
2015-12-07SymantecSymantec
@techreport{symantec:20151207:backdoorcadelspy:6a40e51, author = {Symantec}, title = {{Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise}}, date = {2015-12-07}, institution = {Symantec}, url = {http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf}, language = {English}, urldate = {2020-01-06} } Backdoor.Cadelspy and Backdoor.Remexi: indicators of compromise
CadelSpy Remexi
2015-12-07SymantecSecurity Response
@online{response:20151207:iranbased:5e7136f, author = {Security Response}, title = {{Iran-based attackers use back door threats to spy on Middle Eastern targets}}, date = {2015-12-07}, organization = {Symantec}, url = {https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets}, language = {English}, urldate = {2020-04-21} } Iran-based attackers use back door threats to spy on Middle Eastern targets
CadelSpy Remexi Cadelle
Yara Rules
[TLP:WHITE] win_remexi_auto (20230715 | Detects win.remexi.)
rule win_remexi_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.remexi."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 56 c706ffffffff e8???????? 83c404 }
            // n = 4, score = 300
            //   56                   | push                esi
            //   c706ffffffff         | mov                 dword ptr [esi], 0xffffffff
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 6a10 8d4ddc 8bf0 51 56 ff15???????? }
            // n = 6, score = 200
            //   6a10                 | mov                 edx, dword ptr [ecx + 4]
            //   8d4ddc               | jne                 0x15
            //   8bf0                 | mov                 eax, dword ptr [ebp - 0x28]
            //   51                   | mov                 ecx, dword ptr [eax + 0x18]
            //   56                   | mov                 edx, dword ptr [ecx + 4]
            //   ff15????????         |                     

        $sequence_2 = { 8b5104 50 8955e0 ff15???????? }
            // n = 4, score = 200
            //   8b5104               | test                esi, esi
            //   50                   | jne                 0x15
            //   8955e0               | mov                 eax, dword ptr [ebp - 0x28]
            //   ff15????????         |                     

        $sequence_3 = { 6828010000 8d8dccfeffff 6a00 51 }
            // n = 4, score = 200
            //   6828010000           | imul                ebx
            //   8d8dccfeffff         | dec                 eax
            //   6a00                 | sar                 edx, 4
            //   51                   | dec                 eax

        $sequence_4 = { 52 6a00 68ffff1f00 ffd7 8bf0 }
            // n = 5, score = 200
            //   52                   | push                2
            //   6a00                 | push                0x10
            //   68ffff1f00           | lea                 ecx, [ebp - 0x24]
            //   ffd7                 | mov                 esi, eax
            //   8bf0                 | push                0x10

        $sequence_5 = { 68???????? 50 c705????????01000000 c705????????00000000 }
            // n = 4, score = 200
            //   68????????           |                     
            //   50                   | push                eax
            //   c705????????01000000     |     
            //   c705????????00000000     |     

        $sequence_6 = { c705????????00000000 ff15???????? 8b0d???????? 51 }
            // n = 4, score = 200
            //   c705????????00000000     |     
            //   ff15????????         |                     
            //   8b0d????????         |                     
            //   51                   | push                ecx

        $sequence_7 = { 894708 6a01 89470c 57 }
            // n = 4, score = 200
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   6a01                 | push                1
            //   89470c               | mov                 dword ptr [edi + 0xc], eax
            //   57                   | push                edi

        $sequence_8 = { 6a02 ff15???????? 6a10 8d4ddc 8bf0 }
            // n = 5, score = 200
            //   6a02                 | mov                 ebx, dword ptr [esp + 0x30]
            //   ff15????????         |                     
            //   6a10                 | dec                 esp
            //   8d4ddc               | lea                 eax, [0x141f8]
            //   8bf0                 | dec                 ecx

        $sequence_9 = { c705????????ffffffff c705????????01000000 c705????????00000000 ffd6 83ffff }
            // n = 5, score = 200
            //   c705????????ffffffff     |     
            //   c705????????01000000     |     
            //   c705????????00000000     |     
            //   ffd6                 | call                esi
            //   83ffff               | cmp                 edi, -1

        $sequence_10 = { 8907 894704 894708 6a01 }
            // n = 4, score = 200
            //   8907                 | mov                 dword ptr [edi], eax
            //   894704               | mov                 dword ptr [edi + 4], eax
            //   894708               | mov                 dword ptr [edi + 8], eax
            //   6a01                 | push                1

        $sequence_11 = { 56 6824000100 50 57 ff15???????? 8bf0 85f6 }
            // n = 7, score = 200
            //   56                   | push                esi
            //   6824000100           | push                0x10024
            //   50                   | push                eax
            //   57                   | push                edi
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi

        $sequence_12 = { 50 a3???????? c705????????02000000 890d???????? }
            // n = 4, score = 200
            //   50                   | push                eax
            //   a3????????           |                     
            //   c705????????02000000     |     
            //   890d????????         |                     

        $sequence_13 = { 7513 8b45d8 8b4818 8b5104 }
            // n = 4, score = 200
            //   7513                 | mov                 esi, eax
            //   8b45d8               | push                ecx
            //   8b4818               | push                2
            //   8b5104               | push                0x10

        $sequence_14 = { 6a00 6a02 c785ccfeffff28010000 ff15???????? }
            // n = 4, score = 200
            //   6a00                 | lea                 ecx, [ebp - 0x24]
            //   6a02                 | mov                 esi, eax
            //   c785ccfeffff28010000     | push    ecx
            //   ff15????????         |                     

        $sequence_15 = { e8???????? eb2b 83f8ff 7526 4c8d3555e70100 }
            // n = 5, score = 100
            //   e8????????           |                     
            //   eb2b                 | mov                 dword ptr [esp + 8], ebx
            //   83f8ff               | dec                 eax
            //   7526                 | mov                 dword ptr [esp + 0x10], ebp
            //   4c8d3555e70100       | dec                 eax

        $sequence_16 = { 48ffc8 4883f8fd 7705 bf01000000 8bc7 488b5c2430 }
            // n = 6, score = 100
            //   48ffc8               | mov                 dword ptr [esp + 0x18], esi
            //   4883f8fd             | push                edi
            //   7705                 | dec                 eax
            //   bf01000000           | sub                 esp, 0x20
            //   8bc7                 | mov                 edi, 0x24
            //   488b5c2430           | dec                 eax

        $sequence_17 = { 48895c2408 48896c2410 4889742418 57 4883ec20 bf24000000 488d1d50280200 }
            // n = 7, score = 100
            //   48895c2408           | dec                 ecx
            //   48896c2410           | or                  esi, 0xffffffff
            //   4889742418           | dec                 eax
            //   57                   | mov                 edx, dword ptr [esp + 0x68]
            //   4883ec20             | dec                 eax
            //   bf24000000           | lea                 edx, [0x13483]
            //   488d1d50280200       | dec                 eax

        $sequence_18 = { 0f838d000000 482bde 498bc7 48f7eb 48c1fa04 }
            // n = 5, score = 100
            //   0f838d000000         | jmp                 0x2d
            //   482bde               | cmp                 eax, -1
            //   498bc7               | jne                 0x2b
            //   48f7eb               | dec                 esp
            //   48c1fa04             | lea                 esi, [0x1e755]

        $sequence_19 = { 4c8d05f8410100 498b0cc8 486bd258 c644110800 85db }
            // n = 5, score = 100
            //   4c8d05f8410100       | lea                 ebx, [0x22850]
            //   498b0cc8             | dec                 eax
            //   486bd258             | lea                 edx, [0x133ed]
            //   c644110800           | dec                 eax
            //   85db                 | mov                 ecx, ebx

        $sequence_20 = { ff15???????? 488d1583340100 488bcb 483305???????? }
            // n = 4, score = 100
            //   ff15????????         |                     
            //   488d1583340100       | dec                 eax
            //   488bcb               | mov                 ebx, dword ptr [esp + 0x60]
            //   483305????????       |                     

        $sequence_21 = { 480f43c1 4c2bf0 488b5c2460 eb13 488b5c2460 4983ceff 488b542468 }
            // n = 7, score = 100
            //   480f43c1             | dec                 eax
            //   4c2bf0               | cmovae              eax, ecx
            //   488b5c2460           | dec                 esp
            //   eb13                 | sub                 esi, eax
            //   488b5c2460           | dec                 eax
            //   4983ceff             | mov                 ebx, dword ptr [esp + 0x60]
            //   488b542468           | jmp                 0x15

        $sequence_22 = { 488d15ed330100 483305???????? 488bcb 488905???????? ff15???????? }
            // n = 5, score = 100
            //   488d15ed330100       | mov                 ecx, ebx
            //   483305????????       |                     
            //   488bcb               | dec                 eax
            //   488905????????       |                     
            //   ff15????????         |                     

    condition:
        7 of them and filesize < 614400
}
[TLP:WHITE] win_remexi_w0   (20170410 | No description)
rule win_remexi_w0 {
    meta:
        author = "Symantec"
        source = "http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi"
        malpedia_version = "20170410"
        malpedia_sharing = "TLP:WHITE"
        malpedia_license = ""
    strings:
        $c1   = { 00 3C 65 78 69 74 3E 00 }    /* <exit>  */
        $c2   = { 00 3C 69 64 3E 00 }          /* <id>    */
        $c3   = { 00 3C 72 65 6D 3E 00 }       /* <rem>   */
        $c4   = { 00 3C 63 6C 6F 73 65 3E 00}  /* <close> */
        $c5   = { 00 57 49 4E 00 }             /* WIN     */
        $c6   = { 00 63 6D 64 2E 65 78 65 00 } /* cmd.exe */
        $c7   = { 00 49 44 00 }                /* ID      */ 
        $c8   = { 00 72 65 6D 00 }             /* rem     */
        $d1   = "\\SEA.pdb"
        $d2   = "\\mas.pdb"
        $s1  = "Connecting to the server..."
        $s2  = "cmd.exe /c sc stop sea & sc start sea"
        $s3  = "SYSTEM\\CurrentControlSet\\services\\SEA\\Parameters"
        $s4  = "RecvWrit()-Read_Sock-Failed"
        $s5  = "ReadPipeSendSock()"
    condition:
        (4 of ($c*) and (2 of ($s*) or any of ($d*))) or (5 of ($c*) and any of ($s*))
}
Download all Yara Rules