Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

RedLeaves

RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)
ID: S0153
Associated Software: BUGJUICE
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 14 Dec 2017
Last Modified: 12 Sep 2024

Associated Software Descriptions

Name Description
BUGJUICE Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10)

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)

.009 Boot or Logon Autostart Execution: Shortcut Modification

RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

RedLeaves can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018)

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

RedLeaves can delete specified files.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Groups That Use This Software

ID Name References
G0045 menuPass

(Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: DOJ APT10 Dec 2018)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.