RedLeaves Description

The hacking group known as Stone Panda, HOGFISH, and APT10 (Advanced Persistent Threat) have been gaining traction again with another campaign launched that employs the RedLeaves RAT (Remote Access Trojan). The Stone Panda hacking group are believed to originate from China, and there have been speculations that their harmful activity may be sponsored by the Chinese government. APT10 is known for attacks on businesses and government institutions located in Japan and Norway, likely doing the bidding of Chinese officials. The infection vector employed in these campaigns was phishing emails, which contained macro-laced Microsoft Office documents. If the victims get tricked into opening the infected document, they will give it access to their system, and the RedLeaves RAT will be launched.

Then, the RedLeaves Trojan will make sure to gain persistence using a different method, rather than what is most preferred commonly– via the Windows Registry. RedLeaves' components are stored in the %TEMP% folder under random names. The Trojan also gains persistence by adding '.LNK' shortcuts in the 'Startup' directory.

The next step is connecting to the C&C (Command & Control) servers of the attackers. Via this connection, the RedLeaves RAT will siphon collected information to the attackers, and receive commands for further proceedings from them. Do not underestimate the seemingly short list of capabilities that the RedLeaves Trojan sports – they are more than enough to wreak a significant amount of havoc. The RedLeaves RAT can collect information about the hardware and the software of the infiltrated machine. It also is capable of downloading and uploading files, executing Windows commands, and browsing and modifying files located on the system. Last but not least, the RedLeaves Trojan can take screenshots of the desktop.

It appears that the Stone Panda hacking groups are one of the APTs that sometimes ‘recycle’ their old code as the RedLeaves RAT shows traces of the same code as the PlugX RAT, which is another creation from the same ill-minded actors.

The Stone Panda hacking group tends to lay low for months on end but do not mistake their hibernation periods for a complete activity halt as they seem to always return with a new campaign. You should look into obtaining a legitimate anti-virus suite, which would keep your system safe from threats like the RedLeaves RAT.

Related Posts