Malware

Rent a Hacker: Russian APT group “RedCurl” Attack Corporate Network to steal Commercial documents

Researchers detected a Russian APT group “RedCurl” that attacked the corporate networks around the world to steal commercial documents. 

It’s thoroughly planned attacks on private companies across numerous industries using a unique toolset and the main motivation of the attackers seek to steal documents that contain commercial secrets and employee personal data.

RedCurl has targeted victims all over the globe that includes Russia, Ukraine, UK, Germany, Canada, and Norway, and this vulnerability has been attacking the corporate networks since May 2018.

Data involved

RedCurl has been stealing all insider data like employee data and company trade and financial secrets. The RedCurl operators have specifically attacked 26 organizations all over the world and are expected to publish all stolen data shortly.

The Computer Emergency Response Team of the cybersecurity firm has got a call from a customer who asserted that the company had been attacked. Soon after the firm detected the vulnerability, they made several efforts to decrease the effect of the incident that revealed particularly well-written spear-phishing emails.

Corporate Espionage

The RedCurl attack varies depending on its target, as it uses the Spear-phishing attacks that are sent to various levels, which depends on the type of business. 

Researchers believes that there was an attack on a German company; they accorded to high-level staff, and in other attacks, the firms in Russia and Canada, midlevel staffers, were targeted.

The head of Malware Dynamic Analysis Team at Group-IB, Rustam Mirkasymov, remarks RedCurl has taken research in cases from law and advising firms and employee profiles, including polygraph test outcomes from retailers. 

Someone might have hired the attackers to keep the information. As their focus on corporate espionage is further helped by the geographical and industry range of RedCurl’s victims, Group-IB told Cyber Security News.

Tricky cloud

RedCurl used archives, links that are placed in the email body, and led to legal cloud storage services. The links were altered so that the victim would not mistrust that opening assigned document. 

These documents were about bonuses from the seemingly official website that would deploy a Trojan, regulated by the attacker via the cloud, on the local network. And the main goal of RedCurl is to steal documentation from the victim’s infrastructure and business emails.

Key Highlights

  • RedCurl has conducted 26 attacks on commercial organizations.
  • RedCurl targeted companies located in Russia, Ukraine, U.K., Germany, Canada, and Norway.
  • RedCurl uses phishing and spear-phishing campaigns.
  • The targets of RedCurl are spread across multiple fields like construction, insurance, consulting, finance, travel, banking, law, and retail.
  • The operator of RedCurl uses PowerShell script to go undetected against security solutions.
  • The operator of RedCurl used genuine cloud storage services like Cloudme, koofr.net, etc. for communication.

Covering Traces

The Group-IB’s DFIR authorities discovered that, after obtaining the initial access to the victim’s network, and the group settles there for two to six months. 

The outcomes of spying can amount to tens of millions of dollars; but the researchers affirmed that they continue to track RedCurl’s new attacks worldwide, that’s why the experts decided to release a technical report including indicators of trade-off, which organizations may use to check their networks as a token of RedCurl infections.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Also Read:

Critical Vulnerabilities in Amazon Alexa Let Hackers Steal Personal Data & Remotely Install Skills

Severe Security Vulnerabilities in the Samsung Phones Let Hackers to Launch Remote Attacks

TeamViewer Bug Let Hackers Steal System Password Remotely

Billions of Users Affected with Google Chrome Zero-Day That Allow Attackers To Fully Bypass CSP Rules

ReVoLTE – New Attack Let Hackers Spy Your Phone By Decrypt The VoLTE Secure Networks

Balaji N

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Recent Posts

NVIDIA ChatRTX For Windows App Vulnerability Let Attackers Escalate Privilege

A security update released by ChatRTX on March 26th, 2024, addresses two vulnerabilities (CVE-2024-0082 and…

25 mins ago

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

A new threat has emerged, targeting unsuspecting iPhone users through the seemingly secure iMefofferssage platform.…

41 mins ago

2 Chrome Zero-Days Exploited At Pwn2Own 2024 : Patch Now

Google patched seven vulnerabilities in the Chrome browser on Tuesday, including two zero-day exploits that…

2 hours ago

Source Code of Italian anti-piracy Platform Privacy Shield Leaked on GitHub

The source code and documentation of the Italian anti-piracy platform Privacy Shield have reportedly been…

4 hours ago

Wireshark 4.2.4 Released : What’s New!

Wireshark remains the go-to choice for both professionals and enthusiasts due to its unmatched capabilities…

9 hours ago

Microsoft Edge Flaw Let Hackers Silently Install Malicious Extensions

Guardio Labs has uncovered a significant vulnerability in Microsoft Edge, Microsoft's flagship web browser, that…

18 hours ago