Malware Used Against Australia

Some of the malware that Mossé Security responds to:


REMCOS is a Remote Access Trojan (RAT) being sold in hacking forums on the Dark Market for around $300 USD. It provides the following capabilities:

  • Interface: Sleek user interface that makes it easy for unsophisticated threat actors to compromise and control machines remotely
  • Espionage: screen capture, clipboard capture, keylogging, webcam capture, and microphone capture
  • Operational Security: RC4 encryption, software packing, strings obfuscation and events logging
  • Automation: ability to automate tasks, run commands, and download files

Mossé Security has been responding to many intrusions where the adversaries used REMCOS as a first-stage malware before installing more stealthy RATs on other systems.


Cobalt Strike is a software for Adversary Simulations and Red Team Operations created by Raphael Mudge.

Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in a target's network. New Cobalt Strike licenses cost $3,500 per user for a one year license. License renewals cost $2,500 per user, per year.

Cyber adversaries around the world purchase and use Cobalt Strike to commit cyber crimes. Cobalt Strike has been used in countless of intrusions. In fact, a threat actor uses it so much that the industry has labelled this actor the "Cobalt Gang".

Mossé Security has been responding to many intrusions against Australian organisations committed by adversaries that use Cobalt Strike.


Babar is a well-documented surveillance malware almost certainly created by the one or several French intelligence agencies.

Mossé Security did not identify this malware during incident response. Several samples were shared with us by a customer who did not specify where the samples originated. Some of the samples that we have are not available on Virus Total or any other online malware sharing services that we're aware. We were asked to reverse engineer parts of the samples and offer our professional opinion on its capabilities.

We make no claim that the French intelligence agencies performed cyber operations against Australian organisations. It's not unusual for customers to approach us to reverse engineer malware samples that they are curious about for one reason or another. They are under no obligations to share their motivations with us.


Mimikatz is an open-source a post-exploitation tool for the Windows operating system created by Benjamin Delpy. It's been called the "AK47 of Cyber Attacks" and the "Swiss Army Knife of Windows Credentials Gathering".

Mimikatz is incredibly popular and is used by numerous advanced persistence threat actors to steal Windows credentials and move laterally from one Windows machine to another. Some of the features that Mimikatz offer include:

  • Extract plaintext passwords, hashes, PIN codes, scheduled tasks, and Kerberos Tickets
  • Pass-the-hash and pass-the-ticket
  • Build Kerberos Golden tickets
  • Move laterally and execute commands on remote machines


ScreenConnect is a software built by a legitimate US company to remotely access and manage Windows computers. Pricing for the software starts around US$19 per month.

Some cyber adversaries have used this tool as a backdoor into the networks of Australian organisations that they have compromised. Investigative journalist, Brian Krebs, also reported that ScreenConnect was used by the adversary that compromised Wipro's networks in 2019. This is a breach that we can confirm affected Australian customers.

The advantage of using a backdoor such as ScreenConnect over malware is that the software will evade enterprise anti-virus solutions and even if it is detected, it's more likely to be ruled out as a false-positive.


TeamSpy can both refer to a cyber-surveillance operation and the malware that was used as part of the operation. The malware uses a DLL-side loading technique to load malicious code into the TeamViewer software to hide from the Windows interface and make it invisible to the user.

Once installed, TeamSpy allows the adversaries to observe the infected computers, install new tools on the machines and steal files.

Mossé Security has been responding to a large intrusion where TeamSpy had been installed on multiple employee laptops.


Gh0st RAT is a Trojan horse for the Windows platform. It is a cyber spying computer program. The "Rat" part of the name refers to the software's ability to operate as a "Remote Administration Tool".

This tool is used by multiple adversary groups.

Mossé Security has been responding to many intrusions where Gh0st RAT was used as well as having had customers and partners share samples with us that were also captured in Australia.


NETWIRE is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.

Some of the capabilities that NETWIRE has include:

  • Code Signing
  • Keylogging
  • Screen Capture
  • System information discovery
  • Code Injection

Other Examples: Emotet, Graftor, Poison Ivy, PlugX, BlackMoon, Perseus, Meterpreter, Loda, Nymeria, NanoCore, Lazagne, Gemini, Hupigon, Quasar, Themida, PowerShell Empire, Mirai, Poweliks, BlackHole, PowerSploit, EternalBlue, EternalDrug, Locky, GandCrab, AgentTesla, Torn, Derusbi, Nishang, TinyMet, Viper, Pasam, Royal DNS, Winnit, NetTraveler.