Leeson has been observed masquerading as legitimate applications. It can be seen on systems with the following file paths:
- C:\Program Files\Realtek\Audio\HDA\AERTSr.exe
- C:\Program Files (x86)\Foxit Software\Foxit Reader\FoxitRdr64.exe
- C:\Program Files (x86)\Adobe\Flash Player\AddIns\airappinstaller\airappinstall.exe
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd64.exe
This backdoor may collect information such as:
- IP address
- OS version
- System language ID
- Computer name
- Signed-in username
The Leeson malware implements basic backdoor functionalities such as launching processes, uploading and downloading files, and executing shellcode from the C2 directly in memory.
It uses the Internet Explorer browser, via its COM interface, to connect and receive commands from hardcoded C2 servers. Due to its reliance on IE, the malware configures the IE browser settings by modifying the following registry entries:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
- Start Page = “about:blank”
- DisableFirstRunCustomize = 1
- RunOnceComplete = 1
- RunOnceHasShown = 1
- Check_Associations = 1
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Recovery]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy]
- ClearBrowsingHistoryOnExit = 1
[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
When connecting to the C2 servers, the URL requests follow these formats:
- http[:]//<C2>?id=<5-digit-rand><system-specific-string>
- http[:]//<C2>?setssion==<rand><GetTickCount>
- http[:]//<C2>?newfrs%dsetssion=<rand><GetTickCount>
- http[:]//<C2>/index.htm?content=<base64-system-specifc-string>&id=<num>
Indicators of compromise (IOC)
This attack is still active, so these indicators should not be considered exhaustive for this observed activity.
Type
|
Indicator
|
SHA-256
|
02daf4544bcefb2de865d0b45fc406bee3630704be26a9d6da25c9abe906e7d2
|
SHA-256
|
0a45ec3da31838aa7f56e4cbe70d5b3b3809029f9159ff0235837e5b7a4cb34c
|
SHA-256
|
0d7965489810446ca7acc7a2160795b22e452a164261313c634a6529a0090a0c
|
SHA-256
|
10bb4e056fd19f2debe61d8fc5665434f56064a93ca0ec0bef946a4c3e098b95
|
SHA-256
|
12d914f24fe5501e09f5edf503820cc5fe8b763827a1c6d44cdb705e48651b21
|
SHA-256
|
1899f761123fedfeba0fee6a11f830a29cd3653bcdcf70380b72a05b921b4b49
|
SHA-256
|
22e68e366dd3323e5bb68161b0938da8e1331e4f1c1819c8e84a97e704d93844
|
SHA-256
|
259783405ec2cb37fdd8fd16304328edbb6a0703bc3d551eba252d9b450554ef
|
SHA-256
|
26debed09b1bbf24545e3b4501b799b66a0146d4020f882776465b5071e91822
|
SHA-256
|
35c5f22bb11f7dd7a2bb03808e0337cb7f9c0d96047b94c8afdab63efc0b9bb2
|
SHA-256
|
3ae2d9ffa4e53519e62cc0a75696f9023f9cce09b0a917f25699b48d0f7c4838
|
SHA-256
|
3bac2e459c69fcef8c1c93c18e5f4f3e3102d8d0f54a63e0650072aeb2a5fa65
|
SHA-256
|
3c0bf69f6faf85523d9e60d13218e77122b2adb0136ffebbad0f39f3e3eed4e6
|
SHA-256
|
3dc0001a11d54925d2591aec4ea296e64f1d4fdf17ff3343ddeea82e9bd5e4f1
|
SHA-256
|
3fd73af89e94af180b1fbf442bbfb7d7a6c4cf9043abd22ac0aa2f8149bafc90
|
SHA-256
|
6854df6aa0af46f7c77667c450796d5658b3058219158456e869ebd39a47d54b
|
SHA-256
|
6b79b807a66c786bd2e57d1c761fc7e69dd9f790ffab7ce74086c4115c9305ce
|
SHA-256
|
7944a86fbef6238d2a55c14c660c3a3d361c172f6b8fa490686cc8889b7a51a0
|
SHA-256
|
926904f7c0da13a6b8689c36dab9d20b3a2e6d32f212fca9e5f8cf2c6055333c
|
SHA-256
|
95e98c811ea9d212673d0e84046d6da94cbd9134284275195800278593594b5a
|
SHA-256
|
a142625512e5372a1728595be19dbee23eea50524b4827cb64ed5aaeaaa0270b
|
SHA-256
|
afe5e9145882e0b98a795468a4c0352f5b1ddb7b4a534783c9e8fc366914cf6a
|
SHA-256
|
b9027bad09a9f5c917cf0f811610438e46e42e5e984a8984b6d69206ceb74124
|
SHA-256
|
c132d59a3bf0099e0f9f5667daf7b65dba66780f4addd88f04eecae47d5d99fa
|
SHA-256
|
c9a5765561f52bbe34382ce06f4431f7ac65bafe786db5de89c29748cf371dda
|
SHA-256
|
ce0408f92635e42aadc99da3cc1cbc0044e63441129c597e7aa1d76bf2700c94
|
SHA-256
|
ce47bacc872516f91263f5e59441c54f14e9856cf213ca3128470217655fc5e6
|
SHA-256
|
d0fe4562970676e30a4be8cb4923dc9bfd1fca8178e8e7fea0f3f02e0c7435ce
|
SHA-256
|
d5b36648dc9828e69242b57aca91a0bb73296292bf987720c73fcd3d2becbae6
|
SHA-256
|
e72d142a2bc49572e2d99ed15827fc27c67fc0999e90d4bf1352b075f86a83ba
|
Domain name
|
beesweiserdog[.]com
|
Domain name
|
bluehostfit[.]com
|
Domain name
|
business-toys[.]com
|
Domain name
|
cleanskycloud[.]com
|
Domain name
|
cumberbat[.]com
|
Domain name
|
czreadsecurity[.]com
|
Domain name
|
dgtresorgouv[.]com
|
Domain name
|
dimediamikedask[.]com
|
Domain name
|
diresitioscon[.]com
|
Domain name
|
elcolectador[.]com
|
Domain name
|
elperuanos[.]org
|
Domain name
|
eprotectioneu[.]com
|
Domain name
|
fheacor[.]com
|
Domain name
|
followthewaterdata[.]com
|
Domain name
|
francevrteepress[.]com
|
Domain name
|
futtuhy[.]com
|
Domain name
|
gardienweb[.]com
|
Domain name
|
heimflugaustr[.]com
|
Domain name
|
ivpsers[.]com
|
Domain name
|
jkeducation[.]org
|
Domain name
|
micrlmb[.]com
|
Domain name
|
muthesck[.]com
|
Domain name
|
netscalertech[.]com
|
Domain name
|
newgoldbalmap[.]com
|
Domain name
|
news-laestrella[.]com
|
Domain name
|
noticialif[.]com
|
Domain name
|
opentanzanfoundation[.]com
|
Domain name
|
optonlinepress[.]com
|
Domain name
|
palazzochigi[.]com
|
Domain name
|
pandemicacre[.]com
|
Domain name
|
papa-ser[.]com
|
Domain name
|
pekematclouds[.]com
|
Domain name
|
pipcake[.]com
|
Domain name
|
popularservicenter[.]com
|
Domain name
|
projectsyndic[.]com
|
Domain name
|
qsadtv[.]com
|
Domain name
|
sankreal[.]com
|
Domain name
|
scielope[.]com
|
Domain name
|
seoamdcopywriting[.]com
|
Domain name
|
slidenshare[.]com
|
Domain name
|
somoswake[.]com
|
Domain name
|
squarespacenow[.]com
|
Domain name
|
subapostilla[.]com
|
Domain name
|
suzukicycles[.]net
|
Domain name
|
tatanotakeeps[.]com
|
Domain name
|
tijuanazxc[.]com
|
Domain name
|
transactioninfo[.]net
|
Domain name
|
eurolabspro[.]com
|
Domain name
|
adelluminate[.]com
|
Domain name
|
headhunterblue[.]com
|
Domain name
|
primenuesty[.]com
|