RedLeaves

According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates... User impersonation via compromised credentials is the primary mechanism used by the adversary.

It prioritizes initial access to edge networking devices... Mitigation Harden edge networking devices by eliminating default credentials, restricting management exposure, and rapidly patching known one-day vulnerabilities.

Often deployed via spear phishing, they are lightweight, have particular capabilities and are designed to facilitate system identification and lateral movement.

Baobeilong (宝贝龙/”Baby Dragon”) also maintained a GitHub account that had forked both the Quasar and Trochilus RATs, two open-source tools historically used by STONE PANDA... Falcon Intelligence recently independently conducted detailed analysis of the RedLeaves malware... found it was directly sourced from Trochilus code

The content repeatedly describes use of cmd.exe, cmd /c, Windows command shell, and xp_cmdshell to execute commands, run payloads, launch binaries, perform reconnaissance, persistence, cleanup, and ransomware actions. Examples include: 'Sandworm Team used the xp_cmdshell command in MS-SQL', 'APT41 used cmd.exe /c to execute commands on remote machines', and many malware families 'can use cmd.exe to execute commands on a compromised host.' | Many entries explicitly state malware 'can create a reverse shell' or 'launch a remote shell,' including 4H RAT, AuditCred, BLACKCOFFEE, Carbanak, DarkComet, Exaramel for Windows, PlugX, QuasarRAT, and ZxShell.

Start up a so called "RedLeavesCMDSimulator" - a console session that will accept commands from the memory pipe \\.\pipe\NamePipe_MoreWindows.

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it.

According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates... User impersonation via compromised credentials is the primary mechanism used by the adversary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

The shellcode then activates a new instance of svchost.exe and suspends it. It then makes a call to WriteProcessMemory() and inserts the implant with the damaged MZ and PE headers into its memory space. It then resumes execution of svchost.exe, which runs the implant.

According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates... User impersonation via compromised credentials is the primary mechanism used by the adversary.

The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, .lnk files, or .bat files in the Windows Startup folder. | Multiple entries describe creating .lnk shortcuts in Startup folders, such as BACKSPACE creating a shortcut to itself in the CSIDL_STARTUP directory and DarkGate creating an LNK object in the victim startup folder.

The content repeatedly notes creation of '.lnk shortcut' files in the Startup folder, such as BACKSPACE creating a shortcut in CSIDL_STARTUP, DarkGate creating an LNK object in the victim startup folder, and Operation Dream Job placing LNK files into victims' startup folder.

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

Many of these domains spoof legitimate sites and content, with a particular focus on spoofing Windows update sites.

The shellcode then activates a new instance of svchost.exe and suspends it. It then makes a call to WriteProcessMemory() and inserts the implant with the damaged MZ and PE headers into its memory space. It then resumes execution of svchost.exe, which runs the implant.

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

According to preliminary analysis, threat actors appear to be leveraging stolen administrative credentials (local and domain) and certificates... User impersonation via compromised credentials is the primary mechanism used by the adversary.

BUGJUICE is a backdoor that is executed by launching a benign file and then hijacking the search order to load a malicious dll into it.

ChChes targets the credentials stored inside Internet Explorer

The content repeatedly describes threat actors and malware stealing usernames, passwords, cookies, session tokens, and other saved credentials from web browsers such as Chrome, Firefox, Internet Explorer, Edge, Opera, Safari, and Yandex.

The content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.

The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

BUGJUICE... has the capability to find files, enumerate drives, exfiltrate data...

BUGJUICE... has the capability to... take screenshots

Network activity is often seen as POST requests... Even though the beacon went to port 443... this traffic was plaintext HTTP, as is common for this variant of PLUGX.

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

Download a file from a specified URL, and save it under a specified filename;

4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.

Most of the known domains leverage dynamic DNS services, and this pattern adds to the complexity of tracking this activity.

Command and Control (C2) primarily occurs using RC4 cipher communications over port 443 to domains that change IP addresses.

BUGJUICE... has the capability to... exfiltrate data... The tactic also serves to mask malicious C2 and exfiltration traffic and make it appear innocuous.