US indicts Iranian hackers for Proud Boys voter intimidation emails
Winamp prepares a relaunch, new beta version almost ready
FBI warns of APT group exploiting FatPipe VPN zero-day since May
Windows 10 21H2 is released, here are the new features
Android malware BrazKing returns as a stealthier banking trojan
US indicts Iranian hackers for Proud Boys voter intimidation emails
Winamp prepares a relaunch, new beta version almost ready
Hackers deploy Linux malware, web skimmer on e-commerce servers
Qualys BrowserCheck
Junkware Removal Tool
How to remove the PBlock+ adware browser extension
Remove the Search Redirect
Remove the Search Redirect
Remove the Search Redirect
Remove Security Tool and SecurityTool (Uninstall Guide)
How to remove Antivirus 2009 (Uninstall Instructions)
How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller
Locky Ransomware Information, Help Guide, and FAQ
CryptoLocker Ransomware Information Guide and FAQ
CryptorBit and HowDecrypt Information Guide and FAQ
CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
How to make the Start menu full screen in Windows 10
How to install the Microsoft Visual C++ 2015 Runtime
How to open an elevated PowerShell Admin prompt in Windows 10
How to Translate a Web Page in Google Chrome
How to start Windows in Safe Mode
How to remove a Trojan, Virus, Worm, or other Malware
How to show hidden files in Windows 7
How to see hidden files in Windows
IT Certification Courses
Gear + Gadgets
RedCurl corporate espionage hackers resume attacks with updated tools
A crew of highly-skilled hackers specialized in corporate espionage has resumed activity, one of their victims this year being a large wholesale company in Russia.
Tracked as RedCurl, the group attacked the Russian business twice this year, each time using carefully constructed spear-phishing emails with initial-stage malware.
Active since 2018, RedCurl is responsible for at least 30 attacks against businesses in Russia (18 of them), Ukraine, Canada, Norway, the UK, and Germany, the latest four of them occurring this year.
RedCurl victim geography
The hackers are proficient at staying undetected for long periods, between two and six months, before stealing corporate data (staff records, documents about legal entities, court records, internal files, email history).
Researchers at cybersecurity company Group-IB noticed a seven-month gap in RedCurl’s activity, which the hackers used to add significant improvements to their set of custom tools and attack methods.
Among the hacker’s latest victims is one of Russia’s largest wholesale companies, which supplies chain stores and other wholesalers with home, office, and leisure goods.
For reasons that remain unknown, RedCurl attacked this company twice, gaining initial access via emails impersonating the company’s human resources department announcing bonuses and the government services portal.
RedCurl spear-phishing emails to a large wholesale company in Russia
In both cases, the goal was to deploy on the employee’s computer a malware downloader (RedCurl.InitialDropper) hidden in an attached document that could launch the next stage of the attack.
During the investigation, Group-IB found that the RedCurl extended the attack chain to five stages, from the previously observed three or four steps.
Typical RedCurl kill chain
The hackers were careful not to raise any suspicion when the recipient opened the malicious document that launched the initial dropper, so they included a well-crafted decoy file with content related to the organization.
The dropper would fetch the RedCurl.Downloader tool, which collected info about the infected machine and delivered it to a command and control server (C2), and also initiated the next stage of the attack.
Group-IB discovered that the hackers now used RedCurl.Extractor, a modified version of the RedCurl.Dropper they found in previous attacks from this threat actor.
The purpose of this tool was only to prepare the final step of the attack, which involved achieving persistence on the system.
The researchers note that RedCurl has shifted from the typical use of batch and PowerShell scripts to executable files and that antivirus software failed to detect the initial infection or the attacker moving laterally on the victim network.
However, the improvements to RedCurl’s toolset appear to have been rushed, as Group-IB discovered a logical error in one of the commands. One explanation is that the group had little time to start the attack and could not properly test their tools.
Group-IB has published a report today with indicators of compromise and technical information on RedCurl’s updated set of tools and their functionality:
Despite not being as active as in other years, RedCurl maintains its sophistication and remains an advanced threat actor capable to stay undetected for months.
Group-IB says that of the four attacks identified this year, two were against the same target. However, they expect more victims to appear since RedCurl’s updated tools have been detected in the wild with increased frequency.
North Korean cyberspies target govt officials with custom malware
Russian cybercrime gang targets finance firms with stealthy macros
Google warns 14,000 Gmail users targeted by Russian hackers
Glitch service abused to host short-lived phishing sites
Most SS7 exploit service providers on dark web are scammers
Not a member yet? Register Now
Windows 10 21H2 is released, here are the new features
WordPress sites are being hacked in fake ransomware attacks
To receive periodic updates and news from BleepingComputer, please use the form below.
Terms of Use Privacy PolicyEthics Statement
Copyright @ 2003 – 2021 Bleeping Computer® LLC – All Rights Reserved
Not a member yet? Register Now
Read our posting guidelinese to learn what content is prohibited.


You May Also Like

Garrett walk-through metal detectors can be remotely manipulated

Russian hackers made millions by stealing SEC earning reportsThreat actors steal $80…

Malicious KMSPico installers steal your cryptocurrency wallets

Microsoft offers 50% subscription discounts to Office piratesRussian hacking group uses new…

Facebook to delete 1 billion faceprints in Face Recognition shutdown

CISA orders federal agencies to fix hundreds of exploited security flawsUS sanctions…

NUCLEUS:13 TCP security bugs impact critical healthcare devices

State hackers breach defense, energy, healthcare orgs worldwideMediaMarkt hit by Hive ransomware,…