RedLeaves

Malware updated 5 months ago (2024-05-04T18:18:35.246Z)
Download STIX
Preview STIX
RedLeaves is a malicious software (malware) that has been utilized in cyber espionage campaigns for over five years, as reported by Trend Micro. This malware, which is known to infect Windows machines, operates as a remote access trojan (RAT), enabling unauthorized access and control over infected systems. RedLeaves shares significant similarities with other malware families, such as Trochilus and SprySOCKS, in terms of its command-and-control (C&C) structure and protocol. In particular, strings appearing in both Trochilus and RedLeaves were also found in the SOCKS component added to SprySOCKS. APT10, a notable cyber threat group, has been associated with the deployment of custom malware families including RedLeaves. Furthermore, Trend Micro's analysis confirmed that Earth Yako’s MirrorKey malware employs the same encryption routine used by APT10 malware families, including RedLeaves and ChChes. However, it's important to note that there is no conclusive evidence at this time linking RedLeaves exclusively to STONE PANDA, another cyber threat group. The C&C infrastructure of SprySOCKS bears striking resemblance to that used by threat actors in association with RedLeaves in their cyber espionage activities. The C&C server that SprySOCKS connects to exhibits major similarities to a server used in a campaign involving RedLeaves. Additionally, the structure of SprySOCKS's C&C protocol mirrors that of the RedLeaves backdoor. It's also worth noting that like SprySOCKS, RedLeaves was based on Trochilus, further highlighting the interconnected nature of these malware families.
Description last updated: 2024-05-04T17:43:45.109Z
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Windows
Malware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Sprysocks Malware is associated with RedLeaves. SprySOCKS is a new strain of malware that has recently been added to the arsenal of Earth Lusca, an advanced persistent threat (APT) group known for its sophisticated cyberattacks. Malware, short for malicious software, is designed to exploit and damage computers or devices without the user's knowleUnspecified
4
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The APT10 Threat Actor is associated with RedLeaves. APT10, also known as Menupass Team or menuPass, is a Chinese cyber espionage group that has been active since at least 2006. The group is believed to operate on behalf of the Chinese Ministry of State Security (MSS). It primarily targets sectors such as construction and engineering, aerospace, telecUnspecified
3