RedLeaves

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
RedLeaves is a malicious software (malware) that has been utilized in cyber espionage campaigns for over five years, as reported by Trend Micro. This malware, which is known to infect Windows machines, operates as a remote access trojan (RAT), enabling unauthorized access and control over infected systems. RedLeaves shares significant similarities with other malware families, such as Trochilus and SprySOCKS, in terms of its command-and-control (C&C) structure and protocol. In particular, strings appearing in both Trochilus and RedLeaves were also found in the SOCKS component added to SprySOCKS. APT10, a notable cyber threat group, has been associated with the deployment of custom malware families including RedLeaves. Furthermore, Trend Micro's analysis confirmed that Earth Yako’s MirrorKey malware employs the same encryption routine used by APT10 malware families, including RedLeaves and ChChes. However, it's important to note that there is no conclusive evidence at this time linking RedLeaves exclusively to STONE PANDA, another cyber threat group. The C&C infrastructure of SprySOCKS bears striking resemblance to that used by threat actors in association with RedLeaves in their cyber espionage activities. The C&C server that SprySOCKS connects to exhibits major similarities to a server used in a campaign involving RedLeaves. Additionally, the structure of SprySOCKS's C&C protocol mirrors that of the RedLeaves backdoor. It's also worth noting that like SprySOCKS, RedLeaves was based on Trochilus, further highlighting the interconnected nature of these malware families.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Windows
Backdoor
Malware
Rat
Espionage
Encryption
Payload
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
SprysocksUnspecified
4
SprySOCKS is a new strain of malware that has recently been added to the arsenal of Earth Lusca, an advanced persistent threat (APT) group known for its sophisticated cyberattacks. Malware, short for malicious software, is designed to exploit and damage computers or devices without the user's knowle
PlugXUnspecified
1
PlugX is a notorious malware, typically associated with Chinese threat actors, that has been used in various cyberattacks. This malicious software infiltrates systems through suspicious downloads, emails, or websites and can steal personal information, disrupt operations, or hold data for ransom. It
ChChesUnspecified
1
ChChes is a malware family that has been linked to the Advanced Persistent Threat (APT) group known as "menuPass." The malware was first identified in 2016 when it was used to target Japanese academics, pharmaceutical companies, and a US-based subsidiary of a Japanese manufacturing organization. ChC
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT10Unspecified
3
APT10, also known as the Menupass Team, is a threat actor believed to operate on behalf of the Chinese Ministry of State Security (MSS). The group has been active since 2009 and is suspected to be based in Tianjin, China, according to research by IntrusionTruth in 2018. APT10 has primarily targeted
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the RedLeaves Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
10 months ago
Hackers Deployed never-before-seen Linux Malware Attacking Government Entities
DARKReading
10 months ago
China-Linked Actor Taps Linux Backdoor in Forceful Espionage Campaign
CERT-EU
10 months ago
Chinese Hackers Have Unleashed a Never-Before-Seen Linux Backdoor - Slashdot
InfoSecurity-magazine
10 months ago
Chinese Group Exploiting Linux Backdoor to Target Governments
Securityaffairs
10 months ago
Earth Lusca expands its arsenal with SprySOCKS Linux malware
CERT-EU
10 months ago
Chinese hackers have unleashed a never-before-seen Linux backdoor – Ars Technica | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker | National Cyber Security Consulting
Trend Micro
10 months ago
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement
CERT-EU
10 months ago
New SprySOCKS Linux malware used in cyber espionage attacks
MITRE
a year ago
Two Birds, One STONE PANDA
Trend Micro
a year ago
Invitation to a Secret Event: Uncovering Earth Yako’s Campaigns
CERT-EU
a year ago
Art of the Hunt: Building a Threat Hunting Hypothesis List