A Russian-speaking threat actor tracked as RedCurl has been observed deploying ransomware in a recent campaign, cybersecurity firm Bitdefender reports.
Also tracked as Earth Kapre or Red Wolf, RedCurl has been active since at least 2018, focused on corporate espionage and mainly targeting organizations in the US, with additional victims identified in Germany, Spain, and Mexico.
The threat actor has maintained a low-profile, using readily-available tools for intrusion and data exfiltration, but recently started employing a new ransomware dubbed QWCrypt, which marks a significant shift in its tactics.
For initial access, the group relies on phishing emails containing IMG files containing a SCR file masquerading as a CV. The SCR file is a renamed copy of a legitimate Adobe executable vulnerable to DLL sideloading.
The loaded DLL directs the victim to a login webpage, while fetching a payload in the background. A scheduled task that is created for persistence executes the payload indirectly.
The QWCrypt variant that RedCurl deploys in attacks only targets hypervisors, encrypting the virtual machines hosted on them and disabling the organization’s entire virtualized infrastructure. VMs that act as gateways are not encrypted, and the analyzed batch scripts suggest a highly targeted operation.
“By keeping network gateways operational and avoiding endpoint encryption, RedCurl may have aimed to confine the attack to the IT team, preventing widespread disruption and user awareness,” Bidefender notes.
To date, there has been no evidence that RedCurl has used the data stolen from its victims for extortion, which clearly sets the threat actor apart from financially motivated groups, which “rarely prioritize the theft of proprietary information for competitive advantage”.
“[RedCurl’s] revenue generation and operational objectives remain shrouded in mystery, particularly given their sustained activity since 2018. Consequently, their business model and true motivations remain unclear,” Bitdefender notes.
Given the threat actor’s diverse victimology and lack of a consistent operational pattern, the cybersecurity firm speculates that it likely operates as a ‘gun-for-hire’ group, which would also explain its use of ransomware against infrastructure, instead of endpoints.
“In a mercenary model, ransomware could serve as a diversion, masking the true objective: a targeted data exfiltration operation. It’s also possible that RedCurl, having completed a data exfiltration contract, was not paid, leading them to use ransomware as an alternate way to monetize their access,” Bitdefender notes.
On the other hand, the group could be focused on maintaining low-profile operations by targeting hypervisors for encryption and engaging in discreet communication with the victim organizations.
“The absence of publicly visible ransom demands, such as through a dedicated leak site (DLS), does not necessarily indicate that RedCurl is not directly approaching victims. It is plausible that they engage in private negotiations, further reinforcing their preference for discreet operations and explaining their lack of public victim announcements,” Bitdefender notes.
Related: Chinese Cyberspy Possibly Launching Ransomware Attacks as Side Job
Related: Chinese APT Tools Found in Ransomware Schemes, Blurring Attribution Lines
Related: Ransomware Groups Increasingly Adopting EDR Killer Tools
Related: Russian Ransomware Gang Exploited Windows Zero-Day Before Patch
