Skip to main content

RedLeaves RAT Remote Administration Trojan

The Chinese APT (Advanced Persistent Threat) group known as APT10 (aka Stone Panda) have been observed using a relatively new tool in a recently identified campaign targeting MSPs (Managed Service providers).
Threat ID:
CC-1319
Category:
Spyware, Trojan
Threat Severity:
Medium
Threat Vector:
Phishing
Published:
11 April 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

The Chinese APT (Advanced Persistent Threat) group known as APT10 (aka Stone Panda) have been observed using a relatively new tool in a recently identified campaign targeting MSPs (Managed Service providers).

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - all versions

Threat details

MSPs in various sectors and geo-locations have been targeted using the RedLeaves malware. RedLeaves is believed to have been developed in 2016 and is mostly distributed via malicious attachments in phishing emails.

Once the Redleaves malware is executed it attempts a HTTP POST request to a Command and Control server. The data that is posted is encrypted using RC4 in order to make analysis harder. The encryption key is hard coded into the malware's configuration file.

RedLeaves has many RAT-like features such as the capability to execute arbitrary commands, download files, exfiltrate data and create a proxy.

Remediation steps

Type Step
  • Monitor network and proxy logs for indications of compromise.
  • Never open email attachments or links in emails from untrusted sources.
  • Make sure that malware definitions are kept up-to-date.

Last edited: 17 February 2020 11:38 am