Skip to content

S0153 RedLeaves

RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. 1 2

Item Value
ID S0153
Associated Names BUGJUICE
Version 1.1
Created 14 December 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
BUGJUICE Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. 2 3

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.24
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.14
enterprise T1547.009 Shortcut Modification RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.14
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.12
enterprise T1555 Credentials from Password Stores -
enterprise T1555.003 Credentials from Web Browsers RedLeaves can gather browser usernames and passwords.4
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.1
enterprise T1083 File and Directory Discovery RedLeaves can enumerate and search for files and directories.12
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.2
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion RedLeaves can delete specified files.1
enterprise T1105 Ingress Tool Transfer RedLeaves is capable of downloading a file from a specified URL.1
enterprise T1571 Non-Standard Port RedLeaves can use HTTP over non-standard ports, such as 995, for C2.1
enterprise T1027 Obfuscated Files or Information A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.1
enterprise T1113 Screen Capture RedLeaves can capture screenshots.24
enterprise T1082 System Information Discovery RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.14
enterprise T1016 System Network Configuration Discovery RedLeaves can obtain information about network parameters.1
enterprise T1049 System Network Connections Discovery RedLeaves can enumerate drives and Remote Desktop sessions.1
enterprise T1033 System Owner/User Discovery RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.1

Groups That Use This Software

ID Name References
G0045 menuPass 15


Back to top