SYMBOLCOMMON_NAMEaka. SYNONYMS
win.redleaves (Back to overview)

RedLeaves

aka: BUGJUICE

Actor(s): Stone Panda


There is no description at this point.

References
2020SecureworksSecureWorks
@online{secureworks:2020:bronze:66f1290, author = {SecureWorks}, title = {{BRONZE RIVERSIDE}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/bronze-riverside}, language = {English}, urldate = {2020-05-23} } BRONZE RIVERSIDE
Anel ChChes Cobalt Strike PlugX Poison Ivy Quasar RAT RedLeaves Stone Panda
2019-02-06Recorded FutureInsikt Group, Rapid7
@techreport{group:20190206:apt10:9c61d0b, author = {Insikt Group and Rapid7}, title = {{APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign}}, date = {2019-02-06}, institution = {Recorded Future}, url = {http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf}, language = {English}, urldate = {2020-01-06} } APT10 Targeted NorwegianMSP and US Companies in Sustained Campaign
RedLeaves
2018-12-14Australian Cyber Security CentreASD
@techreport{asd:20181214:investigationreport:6eda856, author = {ASD}, title = {{Investigationreport: Compromise of an Australian companyvia their Managed Service Provider}}, date = {2018-12-14}, institution = {Australian Cyber Security Centre}, url = {https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf}, language = {English}, urldate = {2020-03-11} } Investigationreport: Compromise of an Australian companyvia their Managed Service Provider
PlugX RedLeaves
2018-04-23Accenture SecurityBart Parys
@techreport{parys:20180423:hogfish:4dc2531, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
RedLeaves Stone Panda
2018-04-23Accenture SecurityBart Parys
@techreport{parys:20180423:hogfish:8cf32f8, author = {Bart Parys}, title = {{HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”}}, date = {2018-04-23}, institution = {Accenture Security}, url = {https://www.accenture.com/t20180423T055005Z__w__/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf}, language = {English}, urldate = {2020-06-18} } HOGFISH REDLEAVES CAMPAIGN: HOGFISH (APT10) targets Japan with RedLeaves implants in “new battle”
RedLeaves
2017-12-04MacnicaMacnica
@online{macnica:20171204:new:4bfec6c, author = {Macnica}, title = {{New method of macro malware disguised as defense-related files}}, date = {2017-12-04}, organization = {Macnica}, url = {http://blog.macnica.net/blog/2017/12/post-8c22.html}, language = {Japanese}, urldate = {2020-01-06} } New method of macro malware disguised as defense-related files
RedLeaves
2017-05-09VMWare Carbon BlackJared Myers
@online{myers:20170509:carbon:63860ae, author = {Jared Myers}, title = {{Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading}}, date = {2017-05-09}, organization = {VMWare Carbon Black}, url = {https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/}, language = {English}, urldate = {2020-03-11} } Carbon Black Threat Research Dissects Red Leaves Malware, Which Leverages DLL Side Loading
RedLeaves
2017-05-03RSA LinkAhmed Sonbol
@online{sonbol:20170503:hunting:ce577ba, author = {Ahmed Sonbol}, title = {{Hunting pack use case: RedLeaves malware}}, date = {2017-05-03}, organization = {RSA Link}, url = {https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware}, language = {English}, urldate = {2020-03-11} } Hunting pack use case: RedLeaves malware
RedLeaves
2017-04-27US-CERTUS-CERT
@online{uscert:20170427:alert:fdb865d, author = {US-CERT}, title = {{Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors}}, date = {2017-04-27}, organization = {US-CERT}, url = {https://www.us-cert.gov/ncas/alerts/TA17-117A}, language = {English}, urldate = {2020-03-11} } Alert (TA17-117A): Intrusions Affecting Multiple Victims Across Multiple Sectors
PlugX RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:redleaves:211a123, author = {Shusei Tomonaga}, title = {{RedLeaves - Malware Based on Open Source RAT}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html}, language = {English}, urldate = {2020-01-10} } RedLeaves - Malware Based on Open Source RAT
PlugX RedLeaves
2017-04-03Github (nccgroup)David Cannings
@online{cannings:20170403:technical:e27583c, author = {David Cannings}, title = {{Technical Notes on RedLeaves}}, date = {2017-04-03}, organization = {Github (nccgroup)}, url = {https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves}, language = {English}, urldate = {2020-01-06} } Technical Notes on RedLeaves
RedLeaves
2017-04-03JPCERT/CCShusei Tomonaga
@online{tomonaga:20170403:ratredleaves:c0d1a92, author = {Shusei Tomonaga}, title = {{オープンソースのRATを改良したマルウエアRedLeaves}}, date = {2017-04-03}, organization = {JPCERT/CC}, url = {https://www.jpcert.or.jp/magazine/acreport-redleaves.html}, language = {Japanese}, urldate = {2020-01-06} } オープンソースのRATを改良したマルウエアRedLeaves
RedLeaves
2017-04PricewaterhouseCoopersPricewaterhouseCoopers
@techreport{pricewaterhousecoopers:201704:operation:cb50712, author = {PricewaterhouseCoopers}, title = {{Operation Cloud Hopper: Technical Annex}}, date = {2017-04}, institution = {PricewaterhouseCoopers}, url = {https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf}, language = {English}, urldate = {2019-10-15} } Operation Cloud Hopper: Technical Annex
ChChes PlugX Quasar RAT RedLeaves Trochilus RAT
Yara Rules
[TLP:WHITE] win_redleaves_auto (20201014 | autogenerated rule brought to you by yara-signator)
rule win_redleaves_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2020-10-14"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.5.0"
        tool_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves"
        malpedia_rule_date = "20201014"
        malpedia_hash = "a7e3bd57eaf12bf3ea29a863c041091ba3af9ac9"
        malpedia_version = "20201014"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b450c 2bc1 6a00 03ce baffffff7f e8???????? 5e }
            // n = 7, score = 300
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2bc1                 | sub                 eax, ecx
            //   6a00                 | push                0
            //   03ce                 | add                 ecx, esi
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   e8????????           |                     
            //   5e                   | pop                 esi

        $sequence_1 = { 5e 5d c20400 55 8bec 83ec14 8365ec00 }
            // n = 7, score = 300
            //   5e                   | pop                 esi
            //   5d                   | pop                 ebp
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec14               | sub                 esp, 0x14
            //   8365ec00             | and                 dword ptr [ebp - 0x14], 0

        $sequence_2 = { 7452 833d????????00 7449 833d????????00 }
            // n = 4, score = 300
            //   7452                 | je                  0x54
            //   833d????????00       |                     
            //   7449                 | je                  0x4b
            //   833d????????00       |                     

        $sequence_3 = { ff7130 ff7510 ffb594fdffff e8???????? 33c0 68fe000000 668985acfdffff }
            // n = 7, score = 300
            //   ff7130               | push                dword ptr [ecx + 0x30]
            //   ff7510               | push                dword ptr [ebp + 0x10]
            //   ffb594fdffff         | push                dword ptr [ebp - 0x26c]
            //   e8????????           |                     
            //   33c0                 | xor                 eax, eax
            //   68fe000000           | push                0xfe
            //   668985acfdffff       | mov                 word ptr [ebp - 0x254], ax

        $sequence_4 = { 757e 83bee001000000 7575 e8???????? 84c0 0f84c2000000 }
            // n = 6, score = 300
            //   757e                 | jne                 0x80
            //   83bee001000000       | cmp                 dword ptr [esi + 0x1e0], 0
            //   7575                 | jne                 0x77
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84c2000000         | je                  0xc8

        $sequence_5 = { ff15???????? 83c428 83f8ff 7507 }
            // n = 4, score = 300
            //   ff15????????         |                     
            //   83c428               | add                 esp, 0x28
            //   83f8ff               | cmp                 eax, -1
            //   7507                 | jne                 9

        $sequence_6 = { e8???????? 84c0 0f84c2000000 c786d001000001000000 }
            // n = 4, score = 300
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84c2000000         | je                  0xc8
            //   c786d001000001000000     | mov    dword ptr [esi + 0x1d0], 1

        $sequence_7 = { 741c 50 57 ffb610020000 }
            // n = 4, score = 300
            //   741c                 | je                  0x1e
            //   50                   | push                eax
            //   57                   | push                edi
            //   ffb610020000         | push                dword ptr [esi + 0x210]

        $sequence_8 = { 899edc010000 899ee0010000 899ee4010000 33c0 }
            // n = 4, score = 300
            //   899edc010000         | mov                 dword ptr [esi + 0x1dc], ebx
            //   899ee0010000         | mov                 dword ptr [esi + 0x1e0], ebx
            //   899ee4010000         | mov                 dword ptr [esi + 0x1e4], ebx
            //   33c0                 | xor                 eax, eax

        $sequence_9 = { 8b450c 2bc1 6a00 03ce baffffff7f e8???????? }
            // n = 6, score = 300
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   2bc1                 | sub                 eax, ecx
            //   6a00                 | push                0
            //   03ce                 | add                 ecx, esi
            //   baffffff7f           | mov                 edx, 0x7fffffff
            //   e8????????           |                     

    condition:
        7 of them and filesize < 1679360
}
Download all Yara Rules