RedCurl Shifts from Espionage to Ransomware with First-Ever QWCrypt Deployment

The Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor’s tradecraft.

The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt.

RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States. It’s known to be active since at least November 2018.

✔ Approved From Our Partners

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code

Attack chains documented by Group-IB in 2020 entailed the use of spear-phishing emails bearing Human Resources (HR)-themed lures to activate the malware deployment process. Earlier this January, Huntress detailed attacks mounted by the threat actor targeting several organizations in Canada to deploy a loader dubbed RedLoader with “simple backdoor capabilities.”

Then last month, Canadian cybersecurity company eSentire revealed RedCurl’s use of spam PDF attachments masquerading as CVs and Cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable “ADNotificationManager.exe.”

The attack sequence detailed by Bitdefender traces the same steps, using mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection procedure. Present within the disk image is a file that mimics a Windows screensaver (SCR) but, in reality, is the ADNotificationManager.exe binary that’s used to execute the loader (“netutils.dll”) using DLL side-loading.

“After execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the victim’s browser to https://secure.indeed.com/auth,” Martin Zugec, technical solutions director at Bitdefender, said in a report shared with The Hacker News.

“This displays a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering tactic provides a window for the malware to operate undetected.”

Image Source: eSentire

The loader, per Bitdefender, also acts as a downloader for a next-stage backdoor DLL, while also establishing persistence on the host by means of a scheduled task. The newly retrieved DLL is then executed using Program Compatibility Assistant (pcalua.exe), a technique detailed by Trend Micro in March 2024.

The access afforded by the implant paves the way for lateral movement, allowing the threat actor to navigate the network, gather intelligence, and further escalate their access. But in what appears to be a major pivot from their established modus operandi, one such attack also led to the deployment of ransomware for the first time.

“This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort,” Zugec said. “By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services.”

The ransomware executable, besides employing the bring your own vulnerable driver (BYOVD) technique to disable endpoint security software, takes steps to gather system information prior to launching the encryption routine. What’s more, the ransom note dropped following encryption appears to be inspired by LockBit, HardBit, and Mimic groups.

“This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group,” Zugec said. “Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion.”

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter  and LinkedIn to read more exclusive content we post.