S0153 RedLeaves
RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. 3 2
| Item | Value |
|---|---|
| ID | S0153 |
| Associated Names | BUGJUICE |
| Type | MALWARE |
| Version | 1.1 |
| Created | 14 December 2017 |
| Last Modified | 23 March 2023 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Software Descriptions
| Name | Description |
|---|---|
| BUGJUICE | Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. 2 1 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.24 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.34 |
| enterprise | T1547.009 | Shortcut Modification | RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.34 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.32 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | RedLeaves can gather browser usernames and passwords.4 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.3 |
| enterprise | T1083 | File and Directory Discovery | RedLeaves can enumerate and search for files and directories.32 |
| enterprise | T1574 | Hijack Execution Flow | - |
| enterprise | T1574.001 | DLL Search Order Hijacking | RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | RedLeaves can delete specified files.3 |
| enterprise | T1105 | Ingress Tool Transfer | RedLeaves is capable of downloading a file from a specified URL.3 |
| enterprise | T1571 | Non-Standard Port | RedLeaves can use HTTP over non-standard ports, such as 995, for C2.3 |
| enterprise | T1027 | Obfuscated Files or Information | A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.3 |
| enterprise | T1113 | Screen Capture | RedLeaves can capture screenshots.24 |
| enterprise | T1082 | System Information Discovery | RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.34 |
| enterprise | T1016 | System Network Configuration Discovery | RedLeaves can obtain information about network parameters.3 |
| enterprise | T1049 | System Network Connections Discovery | RedLeaves can enumerate drives and Remote Desktop sessions.3 |
| enterprise | T1033 | System Owner/User Discovery | RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.3 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0045 | menuPass | 35 |
References
-
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. ↩↩↩↩↩↩↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. ↩↩↩↩↩↩
-
United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. ↩