RedCurl is its name. Corporate espionage is its game.
Security researchers today published findings on a new APT group they claim has been stealing data from organizations around the world as far back as 2018. Since then, RedCurl has targeted at least 14 private companies in 26 attacks designed to steal documents containing commercial secrets and employees' personal information.
Its targets span a range of industries and locations. The group has targeted organizations in construction, finance, consulting, retail, banking, insurance, law, and travel; its victims are in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway, researchers report.
Group-IB, a security firm based in Russia and Singapore, says the group is presumably Russian-speaking and launched its earliest known attack in May 2018. The company became aware of the threat in the summer of 2019 when its Computer Emergency Response Team received a call from a customer who said the company had been attacked. Efforts to mitigate the incident revealed especially well-written spear-phishing emails that indicated a planned and targeted attack.
Threat intelligence specialists took an interest and found RedCurl infected computers in specific departments within organizations and only took specific documents. Attackers performed in-depth intelligence on targets' infrastructure: Most often, they posed as HR staff and sent emails to multiple employees throughout the same division to make them seem less suspicious.
"They have information on who will open their emails," says Rustam Mirkasymov, head of Group-IB's malware dynamic analysis team. "They know which guys work in what department, and they attack the whole department, so if someone asks their colleagues if they've received any such emails, their colleagues will have gotten the same. It's really good preparation."
Content was carefully drafted. For example, the emails displayed the target company's address and logo, while the sender address contained the business' domain name. Group-IB highlights how the approach resembles the social-engineering attacks red teams use to test organizations.
To deliver the payload, attackers placed links in the email body to connect with legitimate cloud storage services, researchers explain in an extensive report on the threat. Links were disguised so employees wouldn't recognize the deployment of a Trojan-downloader Redcurl.Dropper, which gave the attackers a foothold onto the system and the ability to install and launch other malware modules. Like RedCurl's other custom tools, the dropper was written in PowerShell.
Mirkasymov notes the use of cloud services helps RedCurl fly under victims' radar. They don't pursue lateral movement or use active Trojans or RDP connections. They simply send a link and wait for victims to click. RedCurl.Dropper establishes connections with cloud storage services such as Cloudme, koofr.net, pcloud.com, and others.
"That's why it's not easy to detect their activity," he says. "They're really slow and silent."
Corporate Espionage: A New Threat to Watch
RedCurl's activity varies depending on its target. Spear-phishing attacks are sent to different levels depending on the business: In an attack on a German company, they went to high-level staff; in others against firms in Russia and Canada, midlevel employees were targeted.
Similarly, the data stolen varied from business to business. RedCurl has taken contracts, financial documents, employee personal records, and records of legal action and facility construction. Mirkasymov notes RedCurl has taken investigation cases from law and consulting firms, and employee profiles containing polygraph test results from retailers.
When researchers poked around the underground forums, they didn't find any traces of these documents, so it doesn't appear RedCurl tried to sell it. Mirkasymov speculates someone hired the attackers to steal the information. The focus on corporate espionage is further supported by the geographical and industry range of RedCurl's victims.
There is no indication who might have hired RedCurl, where they might be based, or who is behind these attacks, he adds. The group is fairly new, and researchers hope to learn more over time.
"Corporate espionage is not something that we're used to on the cyberscene," Mirkasymov says. Researchers believe the frequency of these attacks indicates it's likely to become more widespread in the future.
They also noticed attackers seek email credentials: RedCurl uses the LaZagne tool, which extracts passwords from memory and files saved in the browser. If this doesn't work, it uses a PowerShell script that displays an Outlook window to snatch the victim's email address. They can then use another script to upload documents to the attacker-controlled cloud storage.
- Emotet Return Brings New Tactics & Evasion Techniques
- Kr00k, KRACK, and the Seams in Wi-Fi, IoT Encryption
- A Rogues' Gallery of MacOS Malware
- The Threat from the Internet—and What Your Organization Can Do About It