Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:50 PM
Connect Directly

RedCurl APT Group Hacks Global Companies for Corporate Espionage

Researchers analyze a presumably Russian-speaking APT group that has been stealing corporate data since 2018.

RedCurl is its name. Corporate espionage is its game.

Security researchers today published findings on a new APT group they claim has been stealing data from organizations around the world as far back as 2018. Since then, RedCurl has targeted at least 14 private companies in 26 attacks designed to steal documents containing commercial secrets and employees' personal information.

Its targets span a range of industries and locations. The group has targeted organizations in construction, finance, consulting, retail, banking, insurance, law, and travel; its victims are in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway, researchers report.

Group-IB, a security firm based in Russia and Singapore, says the group is presumably Russian-speaking and launched its earliest known attack in May 2018. The company became aware of the threat in the summer of 2019 when its Computer Emergency Response Team received a call from a customer who said the company had been attacked. Efforts to mitigate the incident revealed especially well-written spear-phishing emails that indicated a planned and targeted attack.

Threat intelligence specialists took an interest and found RedCurl infected computers in specific departments within organizations and only took specific documents. Attackers performed in-depth intelligence on targets' infrastructure: Most often, they posed as HR staff and sent emails to multiple employees throughout the same division to make them seem less suspicious.

"They have information on who will open their emails," says Rustam Mirkasymov, head of Group-IB's malware dynamic analysis team. "They know which guys work in what department, and they attack the whole department, so if someone asks their colleagues if they've received any such emails, their colleagues will have gotten the same. It's really good preparation."

Content was carefully drafted. For example, the emails displayed the target company's address and logo, while the sender address contained the business' domain name. Group-IB highlights how the approach resembles the social-engineering attacks red teams use to test organizations.

To deliver the payload, attackers placed links in the email body to connect with legitimate cloud storage services, researchers explain in an extensive report on the threat. Links were disguised so employees wouldn't recognize the deployment of a Trojan-downloader Redcurl.Dropper, which gave the attackers a foothold onto the system and the ability to install and launch other malware modules. Like RedCurl's other custom tools, the dropper was written in PowerShell.

Mirkasymov notes the use of cloud services helps RedCurl fly under victims' radar. They don't pursue lateral movement or use active Trojans or RDP connections. They simply send a link and wait for victims to click. RedCurl.Dropper establishes connections with cloud storage services such as Cloudme, koofr.net, pcloud.com, and others.

"That's why it's not easy to detect their activity," he says. "They're really slow and silent."

Corporate Espionage: A New Threat to Watch
RedCurl's activity varies depending on its target. Spear-phishing attacks are sent to different levels depending on the business: In an attack on a German company, they went to high-level staff; in others against firms in Russia and Canada, midlevel employees were targeted.

Similarly, the data stolen varied from business to business. RedCurl has taken contracts, financial documents, employee personal records, and records of legal action and facility construction. Mirkasymov notes RedCurl has taken investigation cases from law and consulting firms, and employee profiles containing polygraph test results from retailers. 

When researchers poked around the underground forums, they didn't find any traces of these documents, so it doesn't appear RedCurl tried to sell it. Mirkasymov speculates someone hired the attackers to steal the information. The focus on corporate espionage is further supported by the geographical and industry range of RedCurl's victims.

There is no indication who might have hired RedCurl, where they might be based, or who is behind these attacks, he adds. The group is fairly new, and researchers hope to learn more over time.

"Corporate espionage is not something that we're used to on the cyberscene," Mirkasymov says. Researchers believe the frequency of these attacks indicates it's likely to become more widespread in the future.

They also noticed attackers seek email credentials: RedCurl uses the LaZagne tool, which extracts passwords from memory and files saved in the browser. If this doesn't work, it uses a PowerShell script that displays an Outlook window to snatch the victim's email address. They can then use another script to upload documents to the attacker-controlled cloud storage.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
More SolarWinds Attack Details Emerge
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/12/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-19
HGiga EIP product lacks ineffective access control in certain pages that allow attackers to access database or perform privileged functions.
PUBLISHED: 2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (document management page) to obtain database schema and data.
PUBLISHED: 2021-01-19
HGiga EIP product contains SQL Injection vulnerability. Attackers can inject SQL commands into specific URL parameter (online registration) to obtain database schema and data.
PUBLISHED: 2021-01-19
** DISPUTED ** fs/nfsd/nfs3xdr.c in the Linux kernel through 5.10.8, when there is an NFS export of a subdirectory of a filesystem, allows remote attackers to traverse to other parts of the filesystem via READDIRPLUS. NOTE: some parties argue that such a subdirectory export is not intended to preven...
PUBLISHED: 2021-01-19
Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to remote code execution in certain Python applications that accept floating-point numbers as untrusted input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf i...