Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:50 PM
Connect Directly

RedCurl APT Group Hacks Global Companies for Corporate Espionage

Researchers analyze a presumably Russian-speaking APT group that has been stealing corporate data since 2018.

RedCurl is its name. Corporate espionage is its game.

Security researchers today published findings on a new APT group they claim has been stealing data from organizations around the world as far back as 2018. Since then, RedCurl has targeted at least 14 private companies in 26 attacks designed to steal documents containing commercial secrets and employees' personal information.

Its targets span a range of industries and locations. The group has targeted organizations in construction, finance, consulting, retail, banking, insurance, law, and travel; its victims are in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway, researchers report.

Group-IB, a security firm based in Russia and Singapore, says the group is presumably Russian-speaking and launched its earliest known attack in May 2018. The company became aware of the threat in the summer of 2019 when its Computer Emergency Response Team received a call from a customer who said the company had been attacked. Efforts to mitigate the incident revealed especially well-written spear-phishing emails that indicated a planned and targeted attack.

Threat intelligence specialists took an interest and found RedCurl infected computers in specific departments within organizations and only took specific documents. Attackers performed in-depth intelligence on targets' infrastructure: Most often, they posed as HR staff and sent emails to multiple employees throughout the same division to make them seem less suspicious.

"They have information on who will open their emails," says Rustam Mirkasymov, head of Group-IB's malware dynamic analysis team. "They know which guys work in what department, and they attack the whole department, so if someone asks their colleagues if they've received any such emails, their colleagues will have gotten the same. It's really good preparation."

Content was carefully drafted. For example, the emails displayed the target company's address and logo, while the sender address contained the business' domain name. Group-IB highlights how the approach resembles the social-engineering attacks red teams use to test organizations.

To deliver the payload, attackers placed links in the email body to connect with legitimate cloud storage services, researchers explain in an extensive report on the threat. Links were disguised so employees wouldn't recognize the deployment of a Trojan-downloader Redcurl.Dropper, which gave the attackers a foothold onto the system and the ability to install and launch other malware modules. Like RedCurl's other custom tools, the dropper was written in PowerShell.

Mirkasymov notes the use of cloud services helps RedCurl fly under victims' radar. They don't pursue lateral movement or use active Trojans or RDP connections. They simply send a link and wait for victims to click. RedCurl.Dropper establishes connections with cloud storage services such as Cloudme, koofr.net, pcloud.com, and others.

"That's why it's not easy to detect their activity," he says. "They're really slow and silent."

Corporate Espionage: A New Threat to Watch
RedCurl's activity varies depending on its target. Spear-phishing attacks are sent to different levels depending on the business: In an attack on a German company, they went to high-level staff; in others against firms in Russia and Canada, midlevel employees were targeted.

Similarly, the data stolen varied from business to business. RedCurl has taken contracts, financial documents, employee personal records, and records of legal action and facility construction. Mirkasymov notes RedCurl has taken investigation cases from law and consulting firms, and employee profiles containing polygraph test results from retailers. 

When researchers poked around the underground forums, they didn't find any traces of these documents, so it doesn't appear RedCurl tried to sell it. Mirkasymov speculates someone hired the attackers to steal the information. The focus on corporate espionage is further supported by the geographical and industry range of RedCurl's victims.

There is no indication who might have hired RedCurl, where they might be based, or who is behind these attacks, he adds. The group is fairly new, and researchers hope to learn more over time.

"Corporate espionage is not something that we're used to on the cyberscene," Mirkasymov says. Researchers believe the frequency of these attacks indicates it's likely to become more widespread in the future.

They also noticed attackers seek email credentials: RedCurl uses the LaZagne tool, which extracts passwords from memory and files saved in the browser. If this doesn't work, it uses a PowerShell script that displays an Outlook window to snatch the victim's email address. They can then use another script to upload documents to the attacker-controlled cloud storage.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.