RCSession

Description

(SecureWorks) This basic RAT is installed via DLL side-loading, and CTU researchers observed BRONZE PRESIDENT installing it on multiple hosts during intrusions. RCSession was extracted from a file called English.rtf and launched via a hollowed svchost.exe process. RCSession connects to its C2 server via a custom protocol, can remotely execute commands, and can launch additional tools. CTU researchers have no evidence of other threat actors using RCSession or of wide proliferation of the tool, suggesting it may be exclusively used by BRONZE PRESIDENT.

Names

Name
RCSession

Type

Backdoor

Information

https://www.secureworks.com/research/bronze-president-targets-ngos

Mitre Attack

https://attack.mitre.org/software/S0662/

Other Information

Uuid

07e50a75-39c7-4cab-b156-8f3fb1d13732

Last Card Change

2022-12-30

Threat Intelligence Garden

Explorer

RCSession

RCSession

Description

Names

Category

Type

Information

Mitre Attack

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks