RCSession

Malware updated 5 months ago (2024-05-04T21:03:27.441Z)
Download STIX
Preview STIX
RCSession is a basic Remote Access Trojan (RAT) malware, installed via DLL side-loading and primarily used by the threat group known as BRONZE PRESIDENT. The malware was first described by Dell Secureworks in a blog published in December 2019, where it was identified as a part of the Type 2 malware family. It is launched via a hollowed svchost.exe process, extracted from a file named English.rtf. RCSession connects to its command-and-control (C2) server using a custom protocol and is capable of remotely executing commands and launching additional tools. The malware has been observed on multiple hosts during intrusions by BRONZE PRESIDENT, indicating its usage in their operations. Notably, the researchers found no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting its exclusive use by this particular group. A modified DLL file (goopdate.dll) is utilized by BRONZE PRESIDENT to install RCSession. Along with RCSession, the group also uses other tools such as Cobalt Strike, PlugX, and ORat to steal data from organizations. Upon connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits further instruction. Communication between the malware and the hard-coded C2 server takes place over TCP port 443 using a custom protocol. This primary and likely proprietary RAT of BRONZE PRESIDENT demonstrates the group's intent to target systems for data theft, with RCSession and Cobalt Strike frequently observed on compromised systems.
Description last updated: 2023-11-28T17:51:52.033Z
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Source Document References
Information about the RCSession Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
MITRE
2 years ago
MITRE
2 years ago