RedLeaves
Associated Software Descriptions |
|
Name | Description |
---|---|
BUGJUICE | Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. (Citation: FireEye APT10 April 2017) (Citation: Twitter Nick Carr APT10) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018) |
.009 | Boot or Logon Autostart Execution: Shortcut Modification |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018) |
||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
RedLeaves can gather browser usernames and passwords.(Citation: Accenture Hogfish April 2018) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL Search Order Hijacking |
RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.(Citation: FireEye APT10 April 2017) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
RedLeaves can delete specified files.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Groups That Use This Software |
||
ID | Name | References |
---|---|---|
G0045 | menuPass |
(Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: DOJ APT10 Dec 2018) |
References
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Carr, N.. (2017, April 6). Retrieved September 12, 2024.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.