Group-IB has recently detected a series of new advanced attacks by the RedCurl group; it’s a corporate cyber espionage group targeting several companies around the globe in various industries.

Since RedCurl’s return, they have targeted four companies this year with new advanced tactics. One of the companies they’ve targeted is one of the largest wholesale stores in Russia.

The head of the Dynamic Malware Analysis Team at Group-IB, Ivan Pisarev shared a report to Cyber Security News:-

“In every attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional anti-virus detection using their own custom malware. This means that more and more companies are likely to fall victim to the group, which conducts well-prepared targeted attacks aimed at stealing internal corporate documentation. Commercial Corporate cyber espionage remains a rare and largely unique phenomenon.”

Victim Count Increased

RedCurl has been in operation since at least 2018 and has so far targeted more than 30 businesses, including 18 in Russia and Ukraine, four in Canada, two in Norway, and one each in the UK and Germany. These latest four attacks occurred this year.

Moreover, RedCurl hackers are known for their ability to stay undetected for long periods of time. They are excellent at hiding their tracks, often evading detection for two to six months. 

And they are able to do this by using cutting-edge technology and following strict operational security protocols.

Wholesale & Retail Attacks

Before executing the attack, RedCurl investigates its victim even more thoroughly from public sources. And they do so to send phishing emails to different departments of the organization on behalf of the HR team by properly analyzing their “corporate identity.”

However, in new attacks on retail, RedCurl went even further and carried out two well-prepared mailings:- 

  • The first one was “classic” – on behalf of the HR department of the victim organization
  • The second one was – on behalf of the well-known state portal with the subject of the letter – “Initiation of enforcement proceedings.” 

Typically, all these letters had nothing to do with either the HR department or government agencies.

In the first stage, a malware downloader called “RedCurl.InitialDropper” was deployed by the attackers on the employee’s computer. And later, this malware was used to launch the second stage of the attack, and in order to get the downloader onto the employee’s computer, RedCurl packaged it inside a document that seemed relevant to their interests.

The document was disguised as an invitation from a Russian company looking for investors for an upcoming project. RedCurl collects information about the victim’s infrastructure just after infecting a computer on the target organization’s network. 

They are mainly interested in the following things:- 

  • Name and version of the infected system
  • List of network and logical drives, 
  • List of passwords

The information stolen from the infected system, the IP address, and the time when the request was received is saved to a separate file on the server-side.

Tools used

Here are all the latest and updated tools that are used by the RedCurl hackers:-

  • RedCurl.InitialDropper
  • RedCurl.Downloader
  • RedCurl.Extractor
  • RedCurl.FSABIN
  • RedCurl.CHABIN1
  • RedCurl.CHABIN2

One of the most interesting findings from Group-IB is that the total number of attacks against their target has been four. The first two attacks were a direct result of RedCurl’s updated tools being detected in the wild. 

While the other two have been against the same target, and each attack has been successful. However, since RedCurl’s updated tools have been detected so, the number of victims will also increase as time progresses.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity, and hacking news updates.

BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.