.webp
)
Researchers detected a Russian APT group “RedCurl” that attacked the corporate networks around the world to steal commercial documents.
It’s thoroughly planned attacks on private companies across numerous industries using a unique toolset and the main motivation of the attackers seek to steal documents that contain commercial secrets and employee personal data.
RedCurl has targeted victims all over the globe that includes Russia, Ukraine, UK, Germany, Canada, and Norway, and this vulnerability has been attacking the corporate networks since May 2018.
Data involved
RedCurl has been stealing all insider data like employee data and company trade and financial secrets. The RedCurl operators have specifically attacked 26 organizations all over the world and are expected to publish all stolen data shortly.
The Computer Emergency Response Team of the cybersecurity firm has got a call from a customer who asserted that the company had been attacked. Soon after the firm detected the vulnerability, they made several efforts to decrease the effect of the incident that revealed particularly well-written spear-phishing emails.
Corporate Espionage
The RedCurl attack varies depending on its target, as it uses the Spear-phishing attacks that are sent to various levels, which depends on the type of business.
Researchers believes that there was an attack on a German company; they accorded to high-level staff, and in other attacks, the firms in Russia and Canada, midlevel staffers, were targeted.
The head of Malware Dynamic Analysis Team at Group-IB, Rustam Mirkasymov, remarks RedCurl has taken research in cases from law and advising firms and employee profiles, including polygraph test outcomes from retailers.
Someone might have hired the attackers to keep the information. As their focus on corporate espionage is further helped by the geographical and industry range of RedCurl’s victims, Group-IB told Cyber Security News.
Tricky cloud
RedCurl used archives, links that are placed in the email body, and led to legal cloud storage services. The links were altered so that the victim would not mistrust that opening assigned document.
These documents were about bonuses from the seemingly official website that would deploy a Trojan, regulated by the attacker via the cloud, on the local network. And the main goal of RedCurl is to steal documentation from the victim’s infrastructure and business emails.
Key Highlights
- RedCurl has conducted 26 attacks on commercial organizations.
- RedCurl targeted companies located in Russia, Ukraine, U.K., Germany, Canada, and Norway.
- RedCurl uses phishing and spear-phishing campaigns.
- The targets of RedCurl are spread across multiple fields like construction, insurance, consulting, finance, travel, banking, law, and retail.
- The operator of RedCurl uses PowerShell script to go undetected against security solutions.
- The operator of RedCurl used genuine cloud storage services like Cloudme, koofr.net, etc. for communication.
Covering Traces
The Group-IB’s DFIR authorities discovered that, after obtaining the initial access to the victim’s network, and the group settles there for two to six months.
The outcomes of spying can amount to tens of millions of dollars; but the researchers affirmed that they continue to track RedCurl’s new attacks worldwide, that’s why the experts decided to release a technical report including indicators of trade-off, which organizations may use to check their networks as a token of RedCurl infections.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
Also Read:
Critical Vulnerabilities in Amazon Alexa Let Hackers Steal Personal Data & Remotely Install Skills
Severe Security Vulnerabilities in the Samsung Phones Let Hackers to Launch Remote Attacks
TeamViewer Bug Let Hackers Steal System Password Remotely
ReVoLTE – New Attack Let Hackers Spy Your Phone By Decrypt The VoLTE Secure Networks
