On April 27, 2017 The United States Computer Emergency Readiness Team (US-CERT) released an alert TA17-117A  with information on an emerging sophisticated campaign. The campaign has been active since at least May 2016 and targets organization in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications and Critical Manufacturing. The threat actors have deployed multiple malware families and variants in their campaign including PlugX and RedLeaves.
This threat advisory discusses the host and network behavior of RedLeaves malware. In addition, it shows how to leverage the Hunting pack to detect RedLeaves network activity using RSA NetWitness Logs and Packets.
A typical infection scenario starts with a dropper dropping a legitimate application (EXE), a malicious DLL, and an encoded DATA file in the user %TMP% folder .
The screenshot below shows the files dropped by a RedLeaves sample on a victim machine :
It then starts the application. Taking advantage of DLL preloading, the EXE file loads the malicious DLL, which reads, decodes, and then executes the DATA file. It then creates a new process and injects itself into it. Below is a snapshot of the process tree after running the same sample on hybrid-analysis.com :
To ensure that one instance of the malware is running on an infected system, the malware creates a mutant. In this case, it is vv11287GD. To gain persistency on the system, the malware creates a link in the Startup folder pointing to the legitimate application dropped in the %TEMP% folder.
The malware starts beaconing to its C2 server using raw TCP over port 443 as follows:
As explained in the alert issued by US-CERT, the payload follows two 12-bytes fixed length headers. The first header comes in its own packet, the second header and the payload in a separate packet in the same TCP stream. The first four bytes of the second header (0x3275636b) represent the length of the encrypted and compressed payload (XOR encoded with the first four bytes of the RC4 key), the second four bytes of the second header (0x3175636b) represent the length of the decrypted and decompressed payload (XOR encoded with the first four bytes of the RC4 key).
Analyzing the strings in the address space of the injected process; in this case iexplore.exe; suggests that the RC4 key is Lucky123 with null byte appended:
Here is the decrypted payload:
The malware also sends the same payload along with the second header to the server as an HTTP POST request over port 443:
A list of commands supported by RedLeaves can be found in the report released by the NCC Group Cyber Defence Operations team .
Detection using Hunting Pack
The Hunting pack is designed to allow you to quickly hunt for indicators of compromise or anomalous network activity by dissecting packet traffic within the NetWitness Suite and populating specific meta keys with natural language values for investigation. For more information on the hunting pack including how to deploy it in your environment, please refer to RSA documentation .
The screenshot below shows some of the meta keys registered by the hunting pack for the initial RedLeaves beaconing session. That is the one using a raw TCP connection over port 443:
The session was tagged with different meta values indicating suspicious traffic over SSL port. Here is a description of some of those values:
session size 0-5k
A total session size, request + response payload, between 0KB and 5KB
ratio high transmitted
Between 75% and 100% of the session payload transmitted outbound
Session assumed to be programmatic, nefarious communications
not top 20 dst
org.dst is not one of the most common 20 destinations
outbound traffic with two streams and payload > 0
first carve not dns
outbound traffic with two streams and payload > 0 and not service type 53
The screenshot below shows some of the meta keys registered by the hunting pack for the following RedLeaves beaconing sessions. Those are the ones that use HTTP POST requests over port 443:
The sessions were tagged with different meta values indicating suspicious HTTP traffic over SSL port. Here is a description of some of those values:
watchlist file extension
Any executable extension commonly used with malware like .exe, .php, .zip, etc
http with binary
HTTP with binary data in the body
http suspicious 4 headers
Sessions with only HTTP POST and four HTTP headers
host-header contains port
Host header directly declares a port such as 'www.example.com:80'
http post no get low header count not flash
An HTTP POST request with less than 6 Headers and the user-agent is not ‘shockwave flash’
http post no get no referrer directtoip
HTTP session with at least one POST request to an IP address, no GET requests, and no referer
While the network behavior explained earlier is not unique to RedLeaves malware, the hunting pack can help an analyst in identifying suspicious traffic in the environment without relying on any network signatures.