A group of highly trained hackers specializing in corporate espionage has restarted operations, with a significant wholesale corporation in Russia as one of its targets this year. The organization known as RedCurl has targeted a Russian company twice this year, each time using precisely crafted spear-phishing emails with early-stage malware.
RedCurl has been active since 2018, with at least 30 assaults against firms in Russia (18 of them), Ukraine, Canada, Norway, the United Kingdom, and Germany, the most recent four occurring this year. The hackers are skilled at going unnoticed for lengthy periods, ranging from two to six months, before obtaining company data (staff records, documents about legal entities, internal files, court records, email history).
Researchers from cybersecurity firm Group-IB detected a seven-month lull in RedCurl’s activities. The hackers took the time to expand their arsenal of bespoke tools and attack tactics. One of Russia’s major wholesale enterprises, which supplies chain shops and other wholesalers with home, office, and leisure items, is one of the hacker’s most recent victims.
RedCurl targeted this organization twice for unclear reasons, the first time via emails posing as the company’s human resources department offering bonuses and public services portal. The purpose in both cases was to install a malware downloader (RedCurl.InitialDropper) concealed in an attached document on the employee’s machine, which could then initiate the next stage of the operation. During the study, Group-IB discovered that the RedCurl increased the assault chain to five stages, up from three or four previously recorded.
When the receiver opened the infected document that triggered the initial dropper, the hackers inserted a well-crafted fake file containing material relating to the company to avoid raising suspicion. The dropper would then download the RedCurl.Downloader utility would collect information about the infected system, send it to a command-and-control server (C2), and start the next attack step.
The hackers were now using RedCurl.Extractor, a modified version of the RedCurl.Dropper they had seen in earlier attacks from this threat actor, according to Group-IB. This tool’s primary objective was to prepare for the ultimate phase of the assault, which was to gain system persistence.
RedCurl has switched from batch and PowerShell scripts to executable files, according to the researchers, and antivirus products failed to identify the initial infection or the attacker moving laterally on the target network. However, Group-IB uncovered a logical flaw in one of RedCurl’s commands, indicating that the enhancements to RedCurl’s toolset were hurried. One argument is that the gang only had a short time to launch the attack and hence could not adequately test their tools.