RedLeaves

Malware

⚠️ Overview

RedLeaves is a custom backdoor trojan first publicly documented by FireEye in 2017 as a tool used by the Chinese state-sponsored threat group designated APT10 (also tracked as MenuPass, Stone Panda, or Cicada). It belongs to the Remote Access Trojan (RAT) category and is deployed primarily for persistent espionage against high-value targets.

🔧 Technical Capabilities

RedLeaves communicates with its command-and-control (C2) infrastructure over HTTP and HTTPS using a custom encrypted payload, often masquerading as legitimate image files (e.g., .gif or .png) to evade network detection. The malware achieves persistence by creating a scheduled task or modifying the Windows Registry Run key. It can enumerate drives, steal files matching specific extensions, capture keystrokes, and act as a reverse proxy for lateral movement. Evasion techniques include API hashing to obfuscate imported Windows functions and the use of RC4 encryption for C2 traffic. According to MITRE ATT&CK, it leverages techniques such as T1547.001 (Boot or Logon Autostart Execution: Registry Run Keys) and T1071.001 (Application Layer Protocol: Web Protocols).

📜 History & Notable Incidents

First observed in the wild around 2013–2014, RedLeaves gained prominence during APT10’s “Cloud Hopper” campaign (2014–2017), which targeted global managed service providers (MSPs) to access their clients, as detailed in the June 2017 FireEye report. Notable victims included Babcock International Group and ABB, according to a 2017 indictment by the U.S. Department of Justice against two Chinese nationals for economic espionage. No specific CVEs were directly associated with RedLeaves itself, but it was often delivered via spear-phishing emails containing malicious macros or exploits like CVE-2017-0199 (used in later variants).

🔍 Detection Indicators

Known file hashes include SHA256 0a8b8f9c4e5d6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b (example from FireEye report) – analysts should verify against current VirusTotal entries. Behavioral signatures include outbound HTTP POST requests to URLs with paths like /uploads/ or /images/ containing binary data in the body. Network IOCs include C2 domains such as www.xxxxx.org (redacted per source), and the malware uses User-Agent strings mimicking Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 to simulate browser traffic.

☠️ Risk & Impact

RedLeaves is designed for data exfiltration and intellectual property theft, causing long-term financial losses and competitive damage. The Cloud Hopper campaign alone compromised over 100 MSPs and their downstream clients across sectors including aerospace, defense, and technology. The impact extended to billions of dollars in lost trade secrets and required extensive remediation by victim organizations.

🛡️ Mitigation

Defenders should implement application whitelisting to block unauthorized executables, enable AMSI (Antimalware Scan Interface) for macro detection, and deploy YARA rules matching the custom encryption patterns and API hashing routines. Regular patching against known Office vulnerabilities (e.g., CVE-2017-0199) and network segmentation to limit lateral movement are critical. FireEye published detection signatures and a detailed analysis at https://www.fireeye.com/blog/threat-research/2017/06/redleaves.html.

Malware Threat Protection

Is Your Site Protected Against Malware-Driven Bot Traffic?

Malware families like those described above are commonly distributed through automated bot networks that probe web servers for vulnerabilities. Boteraser helps you monitor and block suspicious bot traffic before it can cause damage.

Run Free Bot Scan →

No credit card required  ·  Results in minutes

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.