Remexi Backdoor | Intel 471 Skip to content

Remexi Backdoor

May 21, 2020
Homepage Hero

OVERVIEW

The Remexi Backdoor malware has been observed since at least 2014, and is believed to be employed by Iranian adversaries. Originally, the malware's function was relatively limited, allowing for traditional reverse shell backdoor functions.

Overtime the malware has grown far more capable, including as an information theft tool. The malware is now known to be able to capture clipboard data, perform file discovery across a system, capturing ket strokes through keylogging, and screen capture for windows of interest.

TARGETING

Targeting has included government, including diplomatic agencies, as well as other industries of interest for the Iranian government.

DELIVERY

The malware has been observed being delivered via targeted spear phishing operations, as well, as manual placement post-compromise.

REMEXI PERSISTENCE

The malware is able to establish persistence using Registry Run Keys, and Winlogon Helper DLL.

REMEXI COMMUNICATION

The malware has been observed using BITSAdmin for its C2 channel.