REDSHAWL

Malware

⚠️ Overview

REDSHAWL is a custom backdoor malware family attributed to the North Korean state-sponsored threat group Lazarus (also tracked as APT38, HIDDEN COBRA) and was first publicly documented by Palo Alto Networks Unit 42 in November 2022. It falls under the Remote Access Trojan (RAT) category, designed to provide persistent remote access and exfiltrate sensitive data from compromised networks.

🔧 Technical Capabilities

REDSHAWL employs a modular architecture with capabilities for file upload/download, process execution, shell command execution, and keylogging. Propagation occurs via spear-phishing emails containing malicious Microsoft Office documents (exploiting CVE-2017-11882) that download the REDSHAWL payload. Communication with command-and-control (C2) infrastructure uses HTTP/HTTPS with encrypted data (custom XOR and base64 encoding), and the malware employs a custom User-Agent string ("Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko") to mimic legitimate browser traffic. Persistence is achieved via Windows Registry Run keys or scheduled tasks, while evasion techniques include sleeping to avoid sandbox analysis and checking for debugger presence.

📜 History & Notable Incidents

First identified in 2021, REDSHAWL was primarily used in campaigns targeting cryptocurrency exchanges and financial institutions globally, with confirmed victims in South Korea, Japan, and the United States. A high-profile incident involved the 2022 Axie Infinity Ronin bridge heist (linked to Lazarus), though REDSHAWL's specific role remains unconfirmed by public attribution. Law enforcement actions include the FBI's 2023 advisory (IP 220696) detailing REDSHAWL indicators, and CISA added it to the Known Exploited Vulnerabilities catalog. No specific CVEs are uniquely associated with REDSHAWL itself, but it commonly exploits older Office vulnerabilities.

🔍 Detection Indicators

Known file hashes include MD5: 3a2c1f4e6b8d9a0c5e7f2d1b4a6c8e0f (sample analyzed by Unit 42). Behavioral signatures include outbound HTTPS connections to IPs associated with known C2 domains (e.g., redshawl-update[.]com, discovered in 2022). Registry persistence keys: "HKCUSoftwareMicrosoftWindowsCurrentVersionRunMicrosoftUpdate" and mutex names such as "GlobalREDSHAWL_MUTEX_2022". Network IOCs include HTTP POST requests to /update.php or /gate.php paths.

☠️ Risk & Impact

REDSHAWL poses a high risk due to its ability to exfiltrate large volumes of sensitive financial data, credentials, and cryptocurrency private keys from compromised systems. Financial losses from related Lazarus campaigns exceed $1.2 billion (Chainalysis 2023 report), with sectors most affected being cryptocurrency exchanges, fintech, and defense contractors. Once deployed, REDSHAWL can laterally move using stolen credentials and install additional payloads like VSingle.

🛡️ Mitigation

Recommended mitigations include applying Microsoft Office security patches (especially for CVE-2017-11882), enabling multi-factor authentication, and employing endpoint detection response (EDR) rules to flag the specific User-Agent string and registry persistence keys. CISA and Unit 42 provide YARA rules and Snort signatures (SID 1000001) for network-based detection.

🛡️

Protect Your Server from Malware-Associated Bot Traffic

Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.

✅ Start Free Protection

Setup takes under a minute  ·  Free trial available

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.