RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [1] [2]

ID: S0153
Associated Software: BUGJUICE
Platforms: Windows
Contributors: Edward Millington
Version: 1.1
Created: 14 December 2017
Last Modified: 30 March 2020

Associated Software Descriptions

Name Description

Based on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. [2] [3]

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[2][4]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[1][4]

.009 Boot or Logon Autostart Execution: Shortcut Modification

RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[1][4]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[1][2]

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

RedLeaves can gather browser usernames and passwords.[4]

Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[1]

Enterprise T1083 File and Directory Discovery

RedLeaves can enumerate and search for files and directories.[1][2]

Enterprise T1574 .001 Hijack Execution Flow: DLL Search Order Hijacking

RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[2]

Enterprise T1070 .004 Indicator Removal: File Deletion

RedLeaves can delete specified files.[1]

Enterprise T1105 Ingress Tool Transfer

RedLeaves is capable of downloading a file from a specified URL.[1]

Enterprise T1571 Non-Standard Port

RedLeaves can use HTTP over non-standard ports, such as 995, for C2.[1]

Enterprise T1027 Obfuscated Files or Information

A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[1]

Enterprise T1113 Screen Capture

RedLeaves can capture screenshots.[2][4]

Enterprise T1082 System Information Discovery

RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[1][4]

Enterprise T1016 System Network Configuration Discovery

RedLeaves can obtain information about network parameters.[1]

Enterprise T1049 System Network Connections Discovery

RedLeaves can enumerate drives and Remote Desktop sessions.[1]

Enterprise T1033 System Owner/User Discovery

RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[1]

Groups That Use This Software

ID Name References
G0045 menuPass