REMUS Infostealer: Defending Against Session Hijacking and MaaS Operations

Introduction

The security landscape is shifting from credential theft to session hijacking. The REMUS infostealer, a rapidly evolving Malware-as-a-Service (MaaS) offering, exemplifies this trend. Unlike traditional stealers that focus solely on harvesting passwords, REMUS prioritizes the theft of active browser sessions and authentication tokens. This allows attackers to bypass Multi-Factor Authentication (MFA) protections entirely, granting immediate access to corporate SaaS applications and email accounts without needing the user's password.

For defenders, this represents a critical blind spot. If your detection strategy relies solely on monitoring for brute-force logins or password dumps, REMUS will likely bypass your defenses. This post provides a technical breakdown of REMUS operations and actionable detection logic to stop it.

Technical Analysis

Affected Platforms & Components

Browsers: Google Chrome, Microsoft Edge, Mozilla Firefox, Brave, and Opera.
OS: Windows (primary target due to prevalence of browser data).
Mechanism: REMUS targets the User Data directories of browsers to extract:
- Cookies files (SQLite databases containing session tokens).
- Local Storage and Session Storage JSON files (often used for JWTs and OAuth tokens).
- History and Login Data (for credential context).

Attack Chain & Exploitation Status

Initial Access: Delivered via phishing campaigns or payload loaders (often disguised as cracked software or utilities).
Execution: The infostealer executes, enumerating running processes to identify active browser sessions.
Data Exfiltration: It reads the locked SQLite databases and storage files directly from the disk. REMUS is engineered for speed and scalability, often using asynchronous I/O to minimize its footprint.
Monetization: Stolen session data is packaged and sold to initial access brokers (IABs) or used immediately for account takeover (ATO).

Exploitation Status: Confirmed Active. REMUS is currently active in the wild, marketed as a MaaS platform on cybercrime forums, indicating active development and widespread distribution.

Detection & Response

Detecting REMUS requires a shift from signature-based detection to behavioral analysis. The primary indicator is a non-browser process accessing the browser's internal data files.

Sigma Rules

YAML

---
title: Potential Infostealer Accessing Browser Cookies
id: 9c3e1a5b-0f7d-4e8c-9a12-3b4c5d6e7f8a
status: experimental
description: Detects non-browser processes accessing browser Cookie SQLite databases, a common behavior of stealers like REMUS.
references:
  - https://attack.mitre.org/techniques/T1005/
author: Security Arsenal
date: 2024/10/25
tags:
  - attack.credential_access
  - attack.t1005
logsource:
  category: file_access
  product: windows
detection:
  selection:
    TargetFilename|contains:
      - '\Google\Chrome\User Data\Default\Cookies'
      - '\Microsoft\Edge\User Data\Default\Cookies'
      - '\BraveSoftware\Brave-Browser\User Data\Default\Cookies'
      - '\Mozilla\Firefox\Profiles\\cookies.sqlite'
  filter_legitimate_browsers:
    Image|endswith:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\brave.exe'
      - '\firefox.exe'
  condition: selection and not filter_legitimate_browsers
falsepositives:
  - Third-party backup or synchronization software
level: high
---
title: Suspicious PowerShell Accessing Browser Local Storage
id: a1b2c3d4-5678-90ab-cdef-1234567890ab
status: experimental
description: Detects PowerShell scripts attempting to read browser Local Storage files, indicative of manual or automated session theft.
references:
  - https://attack.mitre.org/techniques/T1059/001
author: Security Arsenal
date: 2024/10/25
tags:
  - attack.execution
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Image|endswith:
      - '\powershell.exe'
      - '\pwsh.exe'
    CommandLine|contains:
      - 'Local Storage'
      - 'leveldb'
  condition: selection
falsepositives:
  - Administrative troubleshooting scripts
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender

// Hunt for non-browser processes accessing browser Cookie files
DeviceFileEvents
| where Timestamp > ago(1d)
| where TargetFilename has "Cookies" 
| where TargetFilename has @"User Data" 
| where InitiatingProcessFileName !in ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "opera.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, TargetFilename, ActionType
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor

-- Hunt for processes holding handles to browser cookie databases
SELECT Pid, Name, Exe, CommandLine, Handle.Name, Handle.Type
FROM handles()
WHERE Handle.Name =~ "\\AppData\\(Local|Roaming)\\"
  AND (
      Handle.Name =~ "\\Google\\Chrome\\User Data\\Default\\Cookies" OR
      Handle.Name =~ "\\Microsoft\\Edge\\User Data\\Default\\Cookies" OR
      Handle.Name =~ "\\Mozilla\\Firefox\\Profiles\\.*cookies.sqlite"
  )
  AND Name NOT IN ("chrome.exe", "msedge.exe", "brave.exe", "firefox.exe", "opera.exe")

Remediation Script (PowerShell)

PowerShell

# Remediation Script: Check for Suspicious Browser Access
# Run as Administrator

Write-Host "[+] Scanning for processes holding handles to browser Cookie files..." -ForegroundColor Cyan

# Define browser paths to monitor
$targetPaths = @(
    "\Google\Chrome\User Data",
    "\Microsoft\Edge\User Data",
    "\Mozilla\Firefox\Profiles"
)

# Get handles using sysinternals handle.exe or similar logic if available
# Note: This script utilizes basic process inspection if handle.exe is not present.
# In a production environment, use Sysinternals Suite for comprehensive handle auditing.

$processList = Get-Process | Where-Object { 
    $_.ProcessName -notin @("chrome", "msedge", "firefox", "brave", "opera", "explorer", "svchost")
}

$suspiciousActivity = $false

foreach ($proc in $processList) {
    # Check modules loaded (Stealers often load SQLite DLLs)
    $modules = $proc.Modules
    if ($modules.FileName -like "*sqlite*" -and $proc.ProcessName -notlike "*browser*") {
        Write-Host "[!] WARNING: Process $($proc.ProcessName) (PID: $($proc.Id)) is loading SQLite DLLs but is not a browser." -ForegroundColor Red
        Write-Host "    Path: $($proc.Path)" -ForegroundColor DarkRed
        $suspiciousActivity = $true
    }
}

if (-not $suspiciousActivity) {
    Write-Host "[*] No obvious SQLite module hijacking detected in non-browser processes." -ForegroundColor Green
}

Write-Host "[+] Recommendation: Revoke all active web sessions if infection is suspected." -ForegroundColor Yellow

Remediation

If REMUS or a similar infostealer is detected within your environment, immediate containment and credential hygiene are paramount:

Isolate the Host: Disconnect the infected machine from the network immediately to prevent further exfiltration of data or lateral movement.
Force Session Invalidation: Since REMUS steals session tokens, simply changing passwords is insufficient. Administrators must:
- Revoke all active OAuth tokens and application sessions in the IdP (e.g., Azure AD, Okta).
- Invalidate web sessions for critical SaaS applications (Email, CRM, Banking).
Re-image the Endpoint: Infostealers often leave behind persistence mechanisms or other payloads. The safest remediation is a complete wipe and re-image of the OS.
User Education: The entry vector is frequently social engineering. Brief the affected user on the risks of downloading unauthorized software or opening unexpected attachments.
Browser Hardening: Encourage the use of Browser Isolation or enterprise browsing modes that do not write session data to the local disk, rendering file-based stealers ineffective.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub