Security researchers have uncovered a prolific new APT group blamed for at the very least 26 targeted company espionage assaults on world-wide companies considering that 2018.
Dubbed “RedCurl” invest in Group-IB, the entity is imagined to be Russian-speaking but prior targets ended up situated in Russia, Ukraine, the Uk, Germany, Canada, and Norway. Victims hail from a vast wide variety of industries like insurance policies, construction, retail, banking, legislation, finance and even travel organizations.
The conclusion intention of assaults seems to be the theft of private corporate data this kind of as contracts, financial paperwork, employee individual documents, and information and facts on lawful motion and facility construction.
Spear-phishing was utilised extensively to focus on particular teams in sufferer companies, with the attackers posing as HR personnel users and sending their emails to various recipients to keep away from increasing suspicion, the report claimed.
These messages ended up so carefully drafted that Group-IB claimed they resemble purple group pen-tests exercise routines.
“To deliver the payload, RedCurl used archives, hyperlinks to which have been positioned in the email body and led to legitimate cloud storage products and services. The inbound links had been disguised so that the sufferer would not suspect that opening the attached document about bonuses from the supposedly formal web-site would deploy a Trojan, controlled by the attacker by way of the cloud, on the local network,” the seller described.
“The Trojan-downloader RedCurl.Dropper served as the attackers’ move to the qualified program that set up and introduced other malware modules. Like the group’s other personalized tools, the dropper was created in PowerShell.”
With obtain to a focus on network, the attackers then scan for folders and paperwork, and steal email log-ins by way of the LaZagne software if they really do not discover what they’re looking for.
RedCurl continues to be in target networks for an average of two to 6 months. Persistence is taken care of because all communication involving the victim’s infrastructure and the attackers is produced through authentic cloud storages these as Cloudme, koofr.net, and pcloud.com, and all commands are passed as PowerShell scripts.
Rustam Mirkasymov, head of the Malware Dynamic Investigation Workforce at Group-IB, argued that company espionage is a relatively uncommon phenomenon in the APT globe.
“For RedCurl, it would make no change irrespective of whether to assault a Russian financial institution or a consulting business in Canada. Such teams concentrate on corporate espionage and use different techniques to deal with their exercise, including the use of genuine applications that are hard to detect,” he included.
“The contents of the victim’s documents and records can be substantially a lot more worthwhile than the contents of their possess wallets. Even with the lack of immediate money harm, which is regular of fiscally inspired cyber-legal groups, the consequences of espionage can total to tens of thousands and thousands of bucks.”
It is hoped that with complex particulars and IOCs in depth in the report, organizations will be greater in a position to detect and block RedCurl attacks in foreseeable future.