- Threat Encyclopedia
- Malware
- BKDR_REMOSH
Redsip, NightDragon, NDragon
Windows 2000, Windows XP, Windows Server 2003
Downloaded from the Internet, Dropped by other malware
REMOSH is known as part of the Night Dragon attack in 2011. It targets mostly networks that belong to energy companies.
It is a backdoor-hacking tool combination. The hacking tool acts as a Trojan builder and a command-and-control (C&C) interface for the generated backdoor components. REMOSH enumerates processes and services running on affected computers. it can also do the following:
REMOSH also steals system information such as computer name, operating system, and processor information. The stolen information is then fed back to its C&C servers.
Connects to URLs/IPs, Steals information
Installation
This backdoor drops the following files:
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
Autostart Technique
This backdoor adds the following registry entries to enable its automatic execution at every system startup:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\{Random Service Name}\Parameters
ServiceDLL = "%System%\{malware file name}"
Other System Modifications
This backdoor adds the following registry keys:
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
install = "%System%"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost
ImagePath = "%System Root%\System32\svchost.exe -k CryptHost "
HKEY_LOCAL_MACHINE\SOFTWARE\RAT
connect1 = "shell.{BLOCKED}f.com"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\CryptHost\Parameters
ServiceDll = "%System%\Startup.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\SvcHost
CryptHost = "CryptHost"
It modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\PolicyAgent
Start = "4"
(Note: The default value data of the said registry entry is 2.)
Other Details
This backdoor connects to the following possibly malicious URL: