RedLeaves
Associated Software Descriptions
| Name | Description |
|---|---|
| BUGJUICE |
Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. [2] [3] |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[1] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[2] |
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[1][4] |
| .009 | 启动或登录自动启动执行: Shortcut Modification |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[1][4] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[1][2] |
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[2][4] |
| Enterprise | T1083 | 文件和目录发现 |
RedLeaves can enumerate and search for files and directories.[1][2] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[1] |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1082 | 系统信息发现 |
RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[1][4] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
RedLeaves can enumerate drives and Remote Desktop sessions.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
RedLeaves can obtain information about network parameters.[1] |
|
| Enterprise | T1105 | 输入工具传输 |
RedLeaves is capable of downloading a file from a specified URL.[1] |
|
| Enterprise | T1571 | 非标准端口 |
RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[1] |
|
Groups That Use This Software
References
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Carr, N.. (2017, April 6). Retrieved September 12, 2024.