REMOSH Hacktool Used in Targeted Attack

Written by: Joahnna Hipolito

The Trend Micro 2011 Threat Predictions includes the growth of targeted attacks, and it seems like cybercriminals are already proving the said prediction true this early in the year. Many targeted attacks were seen in 2010, with Aurora, "Here you have", and Stuxnet being the most notable ones. It looks like it won't be any different for 2011. This attack recently gained media attention and was dubbed as the “Night Dragon” attack.

How does this threat arrive on users' systems?

This threat involved targeted attacks against specific networks. The cybercriminals behind this attack compromised part of the targeted organization's network and installed a hacking tool detected as HKTL_REMOSH. HKTL_REMOSH can generate backdoor Trojans that enables the cybercriminal to execute certain commands that may involve the theft of critical data.

How is the user affected by this threat?

This threat involved the remote execution of commands by a cybercriminal through HKTL_REMOSH.

HKTL_REMOSH has two basic functions: as a backdoor Trojan builder, and as a command and control (C&C) interface for the generated backdoor programs, which Trend Micro detected as BKDR_REMOSH.SML. BKDR_REMOSH.SML drops a .DLL file detected as BKDR_REMOSH.SMF that is used to connect back to HKTL_REMOSH.

A successful installation gives the attacker access to the infected system through the hacking tool’s available features:
  • File system browser:
  • Command line:
  • Registry browser:
  • Remote desktop viewer:

This hacking tool is also capable of executing the following commands through BKDR_REMOSH.SMF:
  • Enumerate sessions to determine the logged-in user
  • Enumerate files
  • Create and delete files
  • Send and receive files
  • Capture screenshots
  • Get type, information, free space, and name of drives
  • Execute processes
  • Run remote command shell
  • Uninstall itself
Based on the said list of possible commands, a successful attack may cause the user to suffer information theft, information loss, and infection by other malware.

How does this attack work?

HKTL_REMOSH generates a backdoor Trojan, detected as BKDR_REMOSH.SML, which drops a .DLL file detected as BKDR_REMOSH.SMF. BKDR_REMOSH.SMF could then be used by the cybercriminal to remotely execute commands onto the affected system. This enabled the attacker to steal information, and ultimately, gain access to more systems within the network.

What makes this attack noteworthy?

Targeted attacks such as this one, though fairly common, pose great threats to organizations, especially when the main goal of the attacker is to steal information.

Examples of past targeted attacks include Aurora (HYDRAQ), which utilized a then-unpatched vulnerability in Internet Explorer (IE), the “Here you have” spam run, which is said to have started as a targeted attack, but spread to other users due to the related malware’s propagation routines, and STUXNET, which was very much talked about in 2010 for targeting SCADA systems.

Are Trend Micro customers protected from this threat?

Trend Micro product users are protected from this threat via the Trend Micro™ Smart Protection Network™, which proactively identifies and mitigates theat incidents such as this. Below is a summary of the protection that Trend Micro customers receive:

  1. Web reputation service prevents users from accessing compromised websites that redirect users to malicious Web servers. All known malicious URLs related to this attack are already blocked.
  2. Email reputation and Web reputation services work hand in hand in blocking spear-phishing spammed messages that include links to malicious Web servers.
  3. File reputation service detects and prevents the execution of malicious files detected as HKTL_REMOSH, BKDR_REMOSH.SML and BKDR_REMOSH.SMF.
  4. Web reputation service also prevents compromised machines communicating with external servers to prevent remote malicious users from executing commands on the infected system.
Trend Micro Deep Security also stops this threat through the following filters:

1. Prevention
  • 1000608 - Generic SQL Injection Prevention
  • 1003025 - Web Server Restrict Executable File Uploads
2. Detection
  • Integrity Monitoring: File Creation (BKDR_REMOSH.SMF Creation Behavior)
  • Integrity Monitoring:Service Creation (Auto Start Registry for BKDR_REMOSH.SMF)
  • Integrity Monitoring:Service Stop (PolicyAgentService Stop)