Group-IB security researchers have identified an advanced persistent threat group that has launched at least 26 targeted attacks since 2018.
Referred to as RedCurl, the threat actor is focused on corporate espionage across a variety of industries, including banking, construction, consulting, finance, insurance, law, retail, and travel. The employee of a cyber-security company is believed to have been targeted as well.
Presumably Russian-speaking, the group targeted victims in Canada, Germany, Norway, Russia, Ukraine, and the United Kingdom. A total of 14 organizations fell victim to the attacks, some multiple times.
RedCurl appears interested in stealing files containing either commercial secrets (such as contracts, financial documents, and records of legal action) or personal information of employees, which suggests the group might have been commissioned for the purpose of corporate espionage, Group-IB says.
Dated May 2018, the earliest known attack attributed to the APT employed phishing as the initial vector and revealed that the adversary had in-depth knowledge of the victim’s infrastructure, by targeting specific teams.
Archive files were employed for payload delivery, using links to legitimate cloud storage services. A PowerShell Trojan-downloader was used to fetch and execute additional malware modules.
Once gaining a foothold on the victim’s infrastructure, the attackers would scan for the folders and office documents that could be reached from the infected system and then decided whether any of the content was of interest. A curl utility is used to exfiltrate content to the cloud.
The adversary would also replace *.jpg, *.pdf, *.doc, *.docx, *.xls, and *.xlsx files on network drives with modified LNK shortcuts, so that the RedCurl dropper would be launched when a user attempted to open them. Thus, the APT’s malware would spread within the victim’s network.
Email credentials were also targeted for exfiltration, using the LaZagne tool, which was designed to extract passwords from memory and web browser. The attackers would also use a phishing Microsoft Outlook pop-up window to trick the victim into revealing email credentials. A PowerShell script would then be used to find and steal documents of interest.
The group would remain in the victim’s network for long periods of time, ranging between two and six months. Legitimate cloud storage was used to ensure communication between the malware and the attackers, with commands passed as PowerShell scripts.
The threat actor uses a variety of PowerShell scripts that Group-IB says could be considered a framework, and which includes, in addition to the initial dropper, a FirstStageAgent (called FSA) and two submodules. Binary code is used to a minimum, the researchers discovered.
FSA and its submodules support commands to collect information on the infected system and Active Directory, harvest credentials, collect logs, fetch a list of other machines on the network, infect files on shared resources, exfiltrate emails, launch DLLs, remove traces of infection, configure SSH access, exfiltrate data, and more.
In their report on the APT, Group-IB also reveals that the group does not rely on Remote Desktop Protocol or similar communication vectors typically employed by cyber-espionage groups. Instead, interactive access is ensured via SSH and command line tools.
RedCurl’s attacks appear a continuation of previously analyzed RedOctober and CloudAtlas campaigns but, despite some similarities, a link between these campaigns cannot be confirmed at this time, the researchers note.
“As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world,” said Rustam Mirkasymov, the head of the Malware Dynamic Analysis Team at Group-IB. “The contents of the victim’s documents and records can be much more valuable than the contents of their own wallets. Despite the lack of direct financial damage, which is typical of financially motivated cybercriminal groups, the consequences of espionage can amount to tens of millions of dollars.”