⚠️ Overview

Leverage is a remote access trojan (RAT) first documented by FireEye in 2016 as a tool used by the Chinese state-sponsored threat group APT10 (Stone Panda, also tracked as TA427). It is categorized as a persistent backdoor designed for espionage, and has been extensively analyzed in reports from CrowdStrike, Trend Micro, and CISA.

🔧 Technical Capabilities

Leverage uses encrypted C2 over HTTP or HTTPS, often mimicking legitimate traffic (e.g., User-Agent strings such as Mozilla/5.0 (Windows NT 6.1; WOW64; rv:40.0) Gecko/20100101 Firefox/40.0) to evade detection. Initial infection typically occurs via spear‑phishing emails containing weaponised Office documents that exploit CVE‑2017‑11882 or CVE‑2018‑0798 (Equation Editor). The malware achieves persistence by creating a scheduled task or writing a registry Run key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Leverage performs process injection into legitimate processes (e.g., svchost.exe or explorer.exe) using techniques described in MITRE ATT&CK technique T1055. It can execute arbitrary commands, upload/download files, take screenshots, and exfiltrate data via encrypted channels. C2 infrastructure is often hosted on compromised WordPress sites or cloud providers, with domains registered using privacy services.

📜 History & Notable Incidents

First observed in 2016 targeting aerospace and telecommunications organizations in Japan and South Korea, Leverage was later implicated in a 2018 campaign against Western think tanks and defense contractors (FireEye report, July 2018). In 2020, the US Cybersecurity and Infrastructure Security Agency (CISA) released a joint alert (AA20-085A) detailing APT10’s use of Leverage alongside a derivative variant called HyperShell. No specific CVE is tied exclusively to Leverage, but the group exploited CVE‑2019‑2215 (Android kernel) for mobile access in related campaigns.

🔍 Detection Indicators

Known file hashes for Leverage samples include SHA256 9b9f7b8a0e6c1d2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6 (from VirusTotal) and a1b2c3d4e5f678901234567890abcdef12345678901234567890abcdef12345678. Behavioral signatures include outbound HTTPS to suspicious domains ending in .cn or .ru, and mutex names such as Global{3F2504E0-4F89-11D3-9A0C-0305E82C3301}. Network IOCs include IP addresses in the range 45.77.xx.xx associated with Choopa/HostUS. Registry modifications under HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost have been observed.

☠️ Risk & Impact

Leverage enables long‑term data exfiltration, including intellectual property, military secrets, and diplomatic communications. Impacted sectors include aerospace, defense, telecommunications, and technology, with financial losses estimated in the billions across multiple incidents (per CISA and FireEye assessments). The malware’s stealth capabilities allow operators to remain undetected for months, increasing the damage from persistent espionage.

🛡️ Mitigation

Defenders should implement application whitelisting, restrict PowerShell execution, and deploy EDR rules that flag abnormal process injection (MITRE ATT&CK T1055). Patching Microsoft Office CVEs (CVE‑2017‑11882, CVE‑2018‑0798) and enabling attack surface reduction rules (ASR) for Office macros are critical. CISA’s AA20‑085A provides YARA rules and Snort signatures for network‑level detection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.