Red Leaves malware analysis

Ahmed Zaki, David Cannings
April, 2017
PDF Project Signatures

Abstract

This technical note discusses a relatively undocumented implant used by the APT10 group. This is named “Red Leaves” after strings found in the malware. The sample discussed was found during an incident response engagement in March 2017. The earliest evidence obtained shows it has been in use since at least November 2016.

Type
Report
Publication
By NCC Group
Apt Malware
David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.