In the dark cyberspace, APT10, Cloud Hopper, PlugX & RedLeaves, MenuPass are common names for a nation state threat actor compromising US, EU, and Japan enterprises. Within this unique engagement the LIFARS Incident Response Team performed incident response and digital forensic investigation of an attack upon a global medical manufacturing firm. The teams initial focus is on RedLeaves and PlugX, a malware payload utilized by a China based threat actor APT10, also known as menuPass team, Red Apollo, and Stone Panda. This threat actor is known to use several remote access tools, to imitate signatures or properties of a legitimate Microsoft file, and Microsoft Office documents that contain malicious codes that exploit system vulnerabilities. Threat actor attacks system providers, the largest data center providers on the planet, and ex-filtrates data via robocopy, scp, and archive files inside of the recycle bins. Systems are very well cleaned, credential harvesters are used to obtain all active directory credentials, and compromising remote desktop services. Threat actor is also know to ex-filtrate financial statements from SAP linux based systems.
- Three major components of RedLeaves execution on the compromised system
- The RedLeaves and PlugX Process Path, and inject implant into memory
- Discover how RedLeaves and PlugX communicates
- Learn how the LIFARS team identified seven systems of interest in the firm’s by advanced memory forensics
- The synopsis and our Incident Response Team’s digital forensic investigation work on the engagement
LIFARS work was declasified by DHS and FBI, in th US-CERT post that can be found here.
For any questions, please contact our LIFARS Incident Response Consultants for advice on protecting your organization today. The story of APT10, Cloud Hopper, PlugX & RedLeaves will be repeated again.