RedCurl Emerges as a Corporate Espionage APT

Security researchers have uncovered a prolific new APT group blamed for at least 26 targeted corporate espionage attacks on global firms since 2018.

Dubbed “RedCurl” buy Group-IB, the entity is thought to be Russian-speaking but previous targets were located in Russia, Ukraine, the UK, Germany, Canada, and Norway. Victims hail from a wide variety of industries including insurance, construction, retail, banking, law, finance and even travel agencies.

The end goal of attacks appears to be the theft of confidential corporate data such as contracts, financial documents, employee personal records, and information on legal action and facility construction.

Spear-phishing was used extensively to target specific teams in victim organizations, with the attackers posing as HR staff members and sending their emails to multiple recipients to avoid raising suspicion, the report claimed.

These messages were so carefully drafted that Group-IB claimed they resemble red team pen-testing exercises.

“To deliver the payload, RedCurl used archives, links to which were placed in the email body and led to legitimate cloud storage services. The links were disguised so that the victim would not suspect that opening the attached document about bonuses from the supposedly official website would deploy a Trojan, controlled by the attacker through the cloud, on the local network,” the vendor explained.

“The Trojan-downloader RedCurl.Dropper served as the attackers’ pass to the targeted system that installed and launched other malware modules. Like the group's other custom tools, the dropper was written in PowerShell.”

With access to a target network, the attackers then scan for folders and documents, and steal email log-ins via the LaZagne tool if they don’t find what they’re looking for. ..

Support the originator by clicking the read the rest link below.