Leouncia

Malware

⚠️ Overview

Leouncia is a remote access trojan (RAT) first documented in late 2022 by cybersecurity firm Zscaler ThreatLabz. It is attributed to a likely Chinese-speaking threat actor, based on embedded strings and compilation artifacts. Leouncia is primarily used for espionage and data theft against government and defense sectors in Southeast Asia.

🔧 Technical Capabilities

Leouncia uses spear-phishing emails with malicious Microsoft Office documents as initial infection vectors, exploiting CVE-2017-11882 (Equation Editor vulnerability) to drop a loader. The loader retrieves the main payload from a hardcoded command-and-control (C2) server over HTTP. Persistence is achieved via a scheduled task or registry Run key. Evasion techniques include API obfuscation, dynamic resolution of Windows API calls, and checking for sandbox environments such as VMware or VirtualBox. The RAT supports keylogging, screen capture, file exfiltration, and the ability to execute arbitrary commands. C2 communication uses encrypted payloads with a custom XOR key and base64 encoding.

📜 History & Notable Incidents

First observed in October 2022, Leouncia campaigns targeted government ministries and defense contractors in Vietnam, the Philippines, and Malaysia. In 2023, Zscaler reported a campaign that used decoy documents referencing regional maritime disputes. No CVEs are associated beyond the initial exploitation of CVE-2017-11882. No law enforcement actions have been publicly documented.

🔍 Detection Indicators

Network indicators include HTTP POST requests to IP addresses in the 103.x.x.x range (registered to Chinese ISPs) with User-Agent strings mimicking Chrome or Firefox. File hashes (SHA256) such as e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 have been reported by Zscaler. Registry persistence key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindowsUpdate.

☠️ Risk & Impact

Leouncia is designed for stealthy long-term data exfiltration, leading to intellectual property loss and geopolitical intelligence compromise. The affected sectors are primarily government and defense, with documented financial losses not publicly quantified but considered high due to the sensitivity of stolen data.

🛡️ Mitigation

Organizations should patch CVE-2017-11882 in Microsoft Office, implement email filtering for macro-based attachments, and deploy endpoint detection rules (e.g., Sigma rules) for the scheduled task creation and registry key modifications. Zscaler’s threat report (zscaler.com/blogs/research) provides detailed IoCs for SIEM integration.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.