RedLeaves
RedLeaves is a Remote Access Trojan that's an update of the Trochilus RAT. Attacks by this threat create backdoor vulnerabilities on the infected PCs that let threat actors control your files, download other Trojans or collect information. You can keep anti-malware programs available for eliminating RedLeaves and should scrutinize suspicious e-mail content for any attempted attacks.
The Leaves Drifting Towards PCs Year After Year
'Freeware' programs can be gifts that keep on giving and make just as relevant resources for criminals as they do for regular coders. A variant of the GitHub-hosted Trochilus RAT, RedLeaves, shows how long the impact can linger: the first analyses of the threat came in 2016, but it has revealed its hand as an active threat since then, including a notable campaign against Japanese targets in 2018. Its payload is a well-cultivated combination of data-collecting and system-subjugating aspects that make it a likely case for early introduction into an individual computer or a broader network.
Although a large part of RedLeaves's code is a copy-and-paste from the Trochilus RAT, its updates include other structural changes that imply that the threat actors administrating it, HOGFISH or APT 10, are also borrowing techniques from PlugX, a family of backdoor Trojans. All variants of RedLeaves that malware experts have available use a common denominator concerning their loading techniques: running a digital signature-authenticated, 'safe' program for loading a DLL, which launches RedLeaves into an injected Internet Explorer process.
After the memory injection and guaranteeing its persistence, RedLeaves communicates via HTTP with its C&C and can accept different commands from its admins. These features are invasive but pedestrian, for RATs of its type, and include:
- Shell commands.
- Downloading, uploading, and performing miscellaneous operations on files.
- Re-configuring its Command & Control contact method.
- Providing information about the system or its drives to the admin.
- Taking screenshots.
New versions of RedLeaves also have increased data-collecting features and may exfiltrate credentials from the user's Web browsers, such as passwords.
Sweeping Up the RedLeaves
Infection strategies for RedLeaves often use ones that are traditional for business sector-targeted Trojan campaigns, such as e-mail attachments. Victims may find that any attached files will include topics that are relevant to their sector or have general-interest themes like tax information, and will use regionally-appropriate linguistics. Some of these attacks use macros or other, 'advanced content' triggers that the users can avoid triggering, even after they open the corrupted document.
While modern versions of Microsoft Office software will leave macro features inactive as a default setting, users should patch their productivity software for removing other vulnerabilities that could instigate remote code execution attacks. Scanning incoming downloads from unconfirmed sources should give most anti-malware brands a sufficient opportunity for identifying RedLeaves's Trojan droppers and block the threat before infection occurs. After an infection, malware experts point out the possible presence of an unwanted IE process in memory or Startup folder LNK file as being significant symptoms.
Contaminated systems should have their network connections, and, therefore, RedLeaves's contact with its server, cut ASAP. As usual, updated anti-malware services should remove RedLeaves safely while they're scanning the system.
The HOGFISH or Stone Panda threat actors learn a lot from where their leaves fall, even though RedLeaves is a mostly-recycled program. Regular maintenance and updates can do a lot for backdoor Trojans, just like that can serve equally well for strengthening any network's security.