Red Leaves malware analysis


This technical note discusses a relatively undocumented implant used by the APT10 group. This is named “Red Leaves” after strings found in the malware. The sample discussed was found during an incident response engagement in March 2017. The earliest evidence obtained shows it has been in use since at least November 2016.

By NCC Group
David Cannings
David Cannings
Cyber Security

My interests include computer security, digital electronics and writing tools to help analysis of cyber attacks.