Red Leaves malware, related to APT10

Hunt Hypothesis

The detection identifies potential Red Leaves malware activity associated with APT10, which may indicate a low-severity but persistent threat actor presence. SOC teams should proactively hunt for this behavior to identify early-stage compromises and prevent lateral movement within Azure environments.

YARA Rule

rule malware_red_leaves_generic {
  meta:
    author = "David Cannings"
    description = "Red Leaves malware, related to APT10"
    
    // This hash from VT retrohunt, original sample was a memory dump
    sha256 = "2e1f902de32b999642bb09e995082c37a024f320c683848edadaf2db8e322c3c"
    
  strings:
    // MiniLZO release date
    $ = "Feb 04 2015"
    $ = "I can not start %s"
    $ = "dwConnectPort" fullword
    $ = "dwRemoteLanPort" fullword
    $ = "strRemoteLanAddress" fullword
    $ = "strLocalConnectIp" fullword
    $ = "\\\\.\\pipe\\NamePipe_MoreWindows" wide
    $ = "RedLeavesCMDSimulatorMutex" wide
    $ = "(NT %d.%d Build %d)" wide
    $ = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E)" wide
    $ = "red_autumnal_leaves_dllmain.dll" wide ascii
    $ = "__data" wide
    $ = "__serial" wide
    $ = "__upt" wide
    $ = "__msgid" wide
    
  condition:
    7 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints
• Source Rule

False Positive Guidance

• Scenario: Scheduled system cleanup using Sysinternals Process Explorer
  Filter/Exclusion: Exclude processes with ImageLoaded containing ProcessExplorer.exe or sysinternals in the file path.

• Scenario: Administrative task to update Windows Defender Antivirus definitions
  Filter/Exclusion: Exclude processes with ImageLoaded containing MsMpEng.exe or Windows Defender in the file path.

• Scenario: Legitimate use of PowerShell to manage user accounts or group policies
  Filter/Exclusion: Exclude processes with ImageLoaded containing powershell.exe and user or group in the command line arguments.

• Scenario: Routine execution of Windows Task Scheduler jobs for log rotation or backup
  Filter/Exclusion: Exclude processes with ImageLoaded containing schtasks.exe or Task Scheduler in the process name.

• Scenario: Use of Windows Event Viewer to analyze logs for compliance or auditing purposes
  Filter/Exclusion: Exclude processes with ImageLoaded containing eventvwr.exe or eventlog in the command line arguments.