Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RCSession is a basic Remote Access Trojan (RAT) malware, installed via DLL side-loading and primarily used by the threat group known as BRONZE PRESIDENT. The malware was first described by Dell Secureworks in a blog published in December 2019, where it was identified as a part of the Type 2 malware family. It is launched via a hollowed svchost.exe process, extracted from a file named English.rtf. RCSession connects to its command-and-control (C2) server using a custom protocol and is capable of remotely executing commands and launching additional tools. The malware has been observed on multiple hosts during intrusions by BRONZE PRESIDENT, indicating its usage in their operations. Notably, the researchers found no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting its exclusive use by this particular group. A modified DLL file (goopdate.dll) is utilized by BRONZE PRESIDENT to install RCSession. Along with RCSession, the group also uses other tools such as Cobalt Strike, PlugX, and ORat to steal data from organizations. Upon connecting to its C2 server, RCSession checks in with an encrypted beacon and then awaits further instruction. Communication between the malware and the hard-coded C2 server takes place over TCP port 443 using a custom protocol. This primary and likely proprietary RAT of BRONZE PRESIDENT demonstrates the group's intent to target systems for data theft, with RCSession and Cobalt Strike frequently observed on compromised systems.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Cobalt Strike
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Bronze President, a Chinese-state-sponsored APT group also known as Mustang Panda, has been identified as a significant threat actor in data theft campaigns. The group has deployed a variety of remote access tools, including Cobalt Strike and RCSession, to steal data from targeted organizations. Bro
Mustang PandaUnspecified
Mustang Panda, also known as Bronze President, Nomad Panda, Naikon, Earth Preta, and Stately Taurus, is a Chinese-aligned threat actor that has been associated with widespread attacks against various countries in the Asia-Pacific region. The group's malicious activities were first traced back to Mar
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RCSession Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
a year ago
a year ago
Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware