Ahmed Sonbol

Hunting pack use case: RedLeaves malware

Blog Post created by Ahmed Sonbol Employee on May 3, 2017

On April 27, 2017 The United States Computer Emergency Readiness Team (US-CERT) released an alert TA17-117A [1] with information on an emerging sophisticated campaign. The campaign has been active since at least May 2016 and targets organization in several sectors, including Information Technology, Energy, Healthcare and Public Health, Communications and Critical Manufacturing. The threat actors have deployed multiple malware families and variants in their campaign including PlugX and RedLeaves.


This threat advisory discusses the host and network behavior of RedLeaves malware. In addition, it shows how to leverage the Hunting pack to detect RedLeaves network activity using RSA NetWitness Logs and Packets.


A typical infection scenario starts with a dropper dropping a legitimate application (EXE), a malicious DLL, and an encoded DATA file in the user %TMP% folder [2].


The screenshot below shows the files dropped by a RedLeaves sample on a victim machine [3]:




obedience.exe aba4df64717462c61801d737c9fa20a7fada61539eaef50954331d31f7306d27
StarBurn.dll adb72a24429441f743bd2b1a9c0116ae9a1e7b217e047849d70ca1e9054dbdb6
handkerchief.dat 773b176b3a68c3d21fae907af8fba7908b55726bd591c5335c8c0bc9de179b76


It then starts the application. Taking advantage of DLL preloading, the EXE file loads the malicious DLL, which reads, decodes, and then executes the DATA file. It then creates a new process and injects itself into it. Below is a snapshot of the process tree after running the same sample on hybrid-analysis.com [4]:



To ensure that one instance of the malware is running on an infected system, the malware creates a mutant. In this case, it is vv11287GD. To gain persistency on the system, the malware creates a link in the Startup folder pointing to the legitimate application dropped in the %TEMP% folder.


The malware starts beaconing to its C2 server using raw TCP over port 443 as follows:



As explained in the alert issued by US-CERT, the payload follows two 12-bytes fixed length headers. The first header comes in its own packet, the second header and the payload in a separate packet in the same TCP stream. The first four bytes of the second header (0x3275636b) represent the length of the encrypted and compressed payload (XOR encoded with the first four bytes of the RC4 key), the second four bytes of the second header (0x3175636b) represent the length of the decrypted and decompressed payload (XOR encoded with the first four bytes of the RC4 key).


Analyzing the strings in the address space of the injected process; in this case iexplore.exe; suggests that the RC4 key is Lucky123 with null byte appended:



Here is the decrypted payload:



The malware also sends the same payload along with the second header to the server as an HTTP POST request over port 443:



A list of commands supported by RedLeaves can be found in the report released by the NCC Group Cyber Defence Operations team [5].


Detection using Hunting Pack


The Hunting pack is designed to allow you to quickly hunt for indicators of compromise or anomalous network activity by dissecting packet traffic within the NetWitness Suite and populating specific meta keys with natural language values for investigation. For more information on the hunting pack including how to deploy it in your environment, please refer to RSA documentation [6].


The screenshot below shows some of the meta keys registered by the hunting pack for the initial RedLeaves beaconing session. That is the one using a raw TCP connection over port 443:



The session was tagged with different meta values indicating suspicious traffic over SSL port. Here is a description of some of those values:

Meta ValueDescription
session size 0-5k

A total session size, request + response payload, between 0KB and 5KB

ratio high transmitted

Between 75% and 100% of the session payload transmitted outbound

potential beacon

Session assumed to be programmatic, nefarious communications

not top 20 dst

org.dst is not one of the most common 20 destinations

first carve

outbound traffic with two streams and payload > 0

first carve not dns   outbound traffic with two streams and payload > 0 and not service type 53


The screenshot below shows some of the meta keys registered by the hunting pack for the following RedLeaves beaconing sessions. Those are the ones that use HTTP POST requests over port 443:



The sessions were tagged with different meta values indicating suspicious HTTP traffic over SSL port. Here is a description of some of those values:

Meta ValueDescription
watchlist file extension

Any executable extension commonly used with malware like .exe, .php, .zip, etc

http with binary

HTTP with binary data in the body

http suspicious 4 headers

Sessions with only HTTP POST and four HTTP headers

host-header contains port

Host header directly declares a port such as 'www.example.com:80'

http post no get low header count not flash

An HTTP POST request with less than 6 Headers and the user-agent is not ‘shockwave flash’

http post no get no referrer directtoip

HTTP session with at least one POST request to an IP address, no GET requests, and no referer


While the network behavior explained earlier is not unique to RedLeaves malware, the hunting pack can help an analyst in identifying suspicious traffic in the environment without relying on any network signatures.



  1. https://www.us-cert.gov/ncas/alerts/TA17-117A
  2. http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html
  3. https://www.virustotal.com/en/file/5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481/analysis/
  4. https://www.hybrid-analysis.com/sample/5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481?environmentId=100
  5. https://github.com/nccgroup/Cyber-Defence/blob/master/Technical%20Notes/Red%20Leaves/Source/Red%20Leaves%20technical%20note%20v1.0.md
  6. https://community.rsa.com/docs/DOC-62341