RedLeaves is a malware family used by menuPass. The code overlaps with PlugX and may be based upon the open source tool Trochilus. [1] [2]

ID: S0153
Associated Software: BUGJUICE

Contributors: Edward Millington

Platforms: Windows

Version: 1.0

Associated Software Descriptions

BUGJUICEBased on similarities in reported malware behavior and open source reporting, it is assessed that the malware named BUGJUICE by FireEye is likely the same as the malware RedLeaves. [2] [4]

Techniques Used

EnterpriseT1059Command-Line InterfaceRedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[1][2]
EnterpriseT1043Commonly Used PortRedLeaves uses a specific port of 443 and can also use ports 53 and 80 for C2. One RedLeaves variant uses HTTP over port 443 to connect to its C2 server.[1][3]
EnterpriseT1003Credential DumpingRedLeaves can gather browser usernames and passwords.[3]
EnterpriseT1094Custom Command and Control ProtocolRedLeaves can communicate to its C2 over TCP using a custom binary protocol.[2]
EnterpriseT1038DLL Search Order HijackingRedLeaves is launched through use of DLL search order hijacking to load a malicious dll.[2]
EnterpriseT1083File and Directory DiscoveryRedLeaves can enumerate and search for files and directories.[1][2]
EnterpriseT1107File DeletionRedLeaves can delete specified files.[1]
EnterpriseT1027Obfuscated Files or InformationA RedLeaves configuration file is encrypted with a simple XOR key, 0x53.[1]
EnterpriseT1060Registry Run Keys / Startup FolderRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[1][3]
EnterpriseT1105Remote File CopyRedLeaves is capable of downloading a file from a specified URL.[1]
EnterpriseT1113Screen CaptureRedLeaves can capture screenshots.[2][3]
EnterpriseT1023Shortcut ModificationRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.[1][3]
EnterpriseT1071Standard Application Layer ProtocolRedLeaves can communicate to its C2 over HTTP and HTTPS if directed.[2][3]
EnterpriseT1032Standard Cryptographic ProtocolRedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[1]
EnterpriseT1082System Information DiscoveryRedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[1][3]
EnterpriseT1016System Network Configuration DiscoveryRedLeaves can obtain information about network parameters.[1]
EnterpriseT1049System Network Connections DiscoveryRedLeaves can enumerate drives and Remote Desktop sessions.[1]
EnterpriseT1033System Owner/User DiscoveryRedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[1]
EnterpriseT1065Uncommonly Used PortRedLeaves can use port 995 for C2.[1]


Groups that use this software: