Group-IB security researchers have identified an advanced persistent threat group that has launched at least 26 targeted attacks since 2018.
Referred to as RedCurl, the threat actor is focused on corporate espionage across a variety of industries, including banking, construction, consulting, finance, insurance, law, retail, and travel. The employee of a cyber-security company is believed to have been targeted as well.
Presumably Russian-speaking, the group targeted victims in Canada, Germany, Norway, Russia, Ukraine, and the United Kingdom. A total of 14 organizations fell victim to the attacks, some multiple times.
RedCurl appears interested in stealing files containing either commercial secrets (such as contracts, financial documents, and records of legal action) or personal information of employees, which suggests the group might have been commissioned for the purpose of corporate espionage, Group-IB says.
Dated May 2018, the earliest known attack attributed to the APT employed phishing as the initial vector and revealed that the adversary had in-depth knowledge of the victim’s infrastructure, by targeting specific teams.
Archive files were employed for payload delivery, using links to legitimate cloud storage services. A PowerShell Trojan-downloader was used to fetch and execute additional malware modules.
Once gaining a foothold on the victim’s infrastructure, the attackers would scan for the folders and office documents that could be reached from the infected system and then decided whether any of the content was of interest. A curl utility is used to exfiltrate content to the cloud.
The adversary would also replace *.jpg, *.pdf, *.doc, *.docx, *.xls, and *.xlsx files on network drives with modified LNK shortcuts, so that the RedCurl dropper would be launched when a user attempted to open them. Thus, the APT’s malw ..
Support the originator by clicking the read the rest link below.
