Thought Leadership

May 9, 2017

Redleaves, in Springtime?


Yellow alert from the US-CERT

Recently we saw the US-CERT issue a “yellow” alert (TA17-117A) related to a sophisticated attack campaign that’s targeting a wide range of verticals, including managed service providers. Yellow alerts are more serious than the color may imply: they “may affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.” No good.

This attack included, as a means of exfiltrating data, the Redleaves malware – which starts by looking like a verified AOL instant messenger installer, but includes a custom .dll that allows remote command and control.

Proactive attacking

SafeBreach Labs’ team of researchers responded immediately, by adding Breach Method #1281 (and many more) to our Hacker’s Playbook. These breach methods “simulate” malware used in TA17-117A. This means our customers can safely run this entire kill chain in their production environment, to see if their security controls will stop this attack, break the kill chain, or allow it to succeed.

In short, our customers can test against TA17-117A, before the real attackers do the “testing” for them.

How can that be safe?

I can almost hear you now… “Wait, you expect me to unleash a “yellow” level attack in production?”

Well, hear me out…

The beauty of the SafeBreach platform is that, just like a real adversary, we can step through the entire “kill chain” of attacks – infiltration, lateral movement, and exfiltration. But unlike a real attacker, we don’t break your production network. Our simulators attack and defend only against each other, using real breach methods to test your real production security without infecting hosts, or risking stability.

How do we do it? Well, let’s look at a small component of this most recent attack: The Redleaves malware.

Break it down for me, fellas

What’s Redleaves?

  • At it’s simplest, it’s a Remote Access Trojan (RAT)
  • In this case, it’s just one part of a sophisticated, multi-staged attack, consisting of multiple malware implants
  • In this attack, it starts with a compromised version of AOL Instant Messenger (how adorable!) that has a legitimate authenticode signature, despite including a modified DLL
  • This modified DLL provides the foothold for common attack functions
  • Once installed, expect typical Command and Control (C2) stuff: connections are attempted over HTTP, HTTPS, binary over TCP, to round-robin addresses over four different ports (80, 443, 53, 995)

Now, depending on what the malware is asked to do, this attack can grow exponentially. It can execute remote code, take screenshots, steal and send admin credentials, drop other payloads – it’s quite the smorgasbord of threats. And it’s only one component of this sophisticated attack.

Attacking for good

Our team of researchers has broken down every step of this attack – the variables, the protocols, the payloads, you name it – and can execute the same breach methods. We do this safely between simulators, so we can validate security controls, without actually pwning your hosts.

Since the breach methods are performed in your real environment – they are either blocked (hopefully) or find ways to get around (often) just like a real attack. Your security systems are actually tested. Your SIEM actually fires off (or not, if it needs further configuring). You see exactly where you may be vulnerable, and know where you need to update policy or change config to break the kill chain – just like you do when you go to remediate a real attack.

…Except with Safebreach, you don’t have to worry that you’re introducing real attacks, or talking to real C2.

With SafeBreach, you are your own best adversary. Fully powerful, and completely safe.

Get the latest
research and news