RedLeaves

RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [1] [2]

ID: S0153
Aliases: RedLeaves, BUGJUICE
Type: MALWARE
Contributors: Edward Millington

Platforms: Windows

Version: 1.0

Alias Descriptions

NameDescription
RedLeaves[1]
BUGJUICEBased on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. [2] [4]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceRedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[1][2]
EnterpriseT1043Commonly Used PortRedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2. One RedLeaves variant uses HTTP over port 443 to connect to its C2 server.[1][3]
EnterpriseT1003Credential DumpingRedLeaves can gather browser usernames and passwords.[3]
EnterpriseT1094Custom Command and Control ProtocolRedLeaves can communicate to its C2 over TCP using a custom binary protocol.[2]
EnterpriseT1038DLL Search Order HijackingRedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[2]
EnterpriseT1083File and Directory DiscoveryRedLeaves can enumerate and search for files and directories.[1][2]
EnterpriseT1107File DeletionRedLeaves can delete specified files.[1]
EnterpriseT1027Obfuscated Files or InformationA RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[1][3]
EnterpriseT1105Remote File CopyRedLeaves is capable of downloading a file from a specified URL.[1]
EnterpriseT1113Screen CaptureRedLeaves can capture screenshots.[2][3]
EnterpriseT1023Shortcut ModificationRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[1][3]
EnterpriseT1071Standard Application Layer ProtocolRedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[2][3]
EnterpriseT1032Standard Cryptographic ProtocolRedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[1]
EnterpriseT1082System Information DiscoveryRedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[1][3]
EnterpriseT1016System Network Configuration DiscoveryRedLeaves can obtain information about network parameters.[1]
EnterpriseT1049System Network Connections DiscoveryRedLeaves can enumerate drives and Remote Desktop sessions.[1]
EnterpriseT1033System Owner/User DiscoveryRedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[1]
EnterpriseT1065Uncommonly Used PortRedLeaves can use port 995 for C2.[1]

Groups

Groups that use this software:

menuPass

References