RCSession

RCSession is a basic Remote Access Trojan (RAT) malware, installed via DLL side-loading and primarily used by the threat group known as BRONZE PRESIDENT. The malware was first described by Dell Secureworks in a blog published in December 2019, where it was identified as a part of the Type 2 malware family. It is launched via a hollowed svchost.exe process, extracted from a file named English.rtf. RCSession connects to its command-and-control (C2) server using a custom protocol and is capable of remotely executing commands and launching additional tools. The malware has been observed on multiple hosts during intrusions by BRONZE PRESIDENT, indicating its usage in their operations. Notably, the researchers found no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting its exclusive use by this particular group. A modified DLL file (goopdate.dll) is utilized by BRONZE PRESIDENT to install RCSession. Along with RCSession, the group also uses other tools such as Cobalt Strike, PlugX, and ORat to steal data from organizations. Upon connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits further instruction. Communication between the malware and the hard-coded C2 server takes place over TCP port 443 using a custom protocol. This primary and likely proprietary RAT of BRONZE PRESIDENT demonstrates the group's intent to target systems for data theft, with RCSession and Cobalt Strike frequently observed on compromised systems.