Remexi Backdoor

OVERVIEW

The Remexi Backdoor malware has been observed since at least 2014, and is believed to be employed by Iranian adversaries. Originally, the malware’s function was relatively limited, allowing for traditional reverse shell backdoor functions.

Overtime the malware has grown far more capable, including as an information theft tool. The malware is now known to be able to capture clipboard data, perform file discovery across a system, capturing ket strokes through keylogging, and screen capture for windows of interest.

TARGETING

Targeting has included government, including diplomatic agencies, as well as other industries of interest for the Iranian government.

DELIVERY

The malware has been observed being delivered via targeted spear phishing operations, as well, as manual placement post-compromise.

REMEXI PERSISTENCE

The malware is able to establish persistence using Registry Run Keys, and Winlogon Helper DLL.

REMEXI COMMUNICATION

The malware has been observed using BITSAdmin for its C2 channel.

Remexi Threat Hunting Packages

Join our newsletter

Discover More!

SANS 2024 Threat Hunting Survey: Hunting for Normal Within Chaos

Library

Resources

Resources

Remexi Backdoor

OVERVIEW

TARGETING

DELIVERY

REMEXI PERSISTENCE

REMEXI COMMUNICATION

Join our newsletter

Follow Us

Discover More!

SANS 2024 Threat Hunting Survey: Hunting for Normal Within Chaos

Threat-Informed Defense through Behavioral Threat Hunting

Phobos Unleashed: Navigating the Maze of Ransomware’s Ever-Evolving Threat

TECHNICAL WALKTHROUGH

SEE THE POWER OF THREAT HUNTING IN YOUR ENVIRONMENT & ON YOUR TOOLS TODAY!

Subscribe to our newsletter