Group-IB uncovers corporate espionage group RedCurl

Singapore-based cybersecurity company Group-IB has released an analytical report on the previously unknown advanced persistent threat (APT) group RedCurl, which focuses on corporate espionage. 

APT uses sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, according to Kaspersky, a world-leading cybersecurity solution provider. 

Because of this, the advanced persistent threat is particularly dangerous for enterprises as hackers have ongoing access to sensitive company data. 

RedCurl attacked dozens of targets all over the world—from Russia to Canada–in less than three years. A presumably Russian-speaking group conducts thoroughly planned attacks on private companies across numerous industries using a unique toolset. 

The attackers seek to steal documents that contain commercial secrets and employee personal data. 

According to Group-IB experts, corporate espionage has so far been a rare phenomenon on the hacker scene, but the frequency of such attacks these days suggests that it is likely to become more widespread in the future.  

Group-IB's new research contains the first-ever description of RedCurl's tactics, tools, and infrastructure. The report titled "RedCurl: The pentest you didn't know about" includes details about the group's kill chain discovered by Group-IB's Digital Forensics and Incident Response (DFIR) specialists. 

The report also contains unique data that Group-IB, a provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations, collected during incident response engagements related to campaigns attributed to RedCurl. 

From Russia to Canada 

The APT group RedCurl, discovered by Group-IB Threat Intelligence experts, has been active since at least 2018. Since then, it has conducted 26 targeted attacks on commercial organisations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law and travel. 

RedCurl does not have a clear geographical link to any region. But its victims are located in Russia, Ukraine, the United Kingdom, Germany, Canada and Norway. 

As part of its activities, the group acted as covertly as possible to minimise the risk of being discovered on the victim's network. In all campaigns, RedCurl's main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction. 

This could indicate that RedCurl's attacks might have been commissioned for the purpose of corporate espionage. 

It is noteworthy that one of the group's possible victims was an employee of a cybersecurity company that protects its customers against such very attacks. 

In total, Group-IB has identified 14 organisations that fell victim to RedCurl's espionage, some on several occasions. Group-IB specialists contacted each of them. Currently, some of the affected companies continue to respond to the incidents.    

Who are you, Mr Pentester?

The earliest known RedCurl attack dates back to May 2018. As with all subsequent campaigns, the initial compromise vector was a well-written phishing email. 

The group performed in-depth intelligence of the victim's infrastructure: each email targeted a specific team rather than the organisation as a whole. 

Most often, the attackers posed as HR staff at the targeted organisation and sent emails to multiple employees in the same department, which made the victims less vigilant. 

For example, the employees would receive the same email about annual bonuses. 

The spear-phishing email content was always carefully drafted. For instance, the emails displayed the targeted company's address and logo, while the sender address featured the company's domain name. 

Group-IB Threat Intelligence experts highlight that RedCurl's approach resembles social engineering attacks that red teaming specialists usually conduct to test an organisation's ability to combat advanced cyber-attacks using techniques and tools from hacker groups' arsenals. 

Tricky cloud 

To deliver the payload, RedCurl used archives, and links which were placed in the email body and led to legitimate cloud storage services. 

The links were disguised so that the victim would not suspect that opening the attached document about bonuses from the supposedly official website would deploy a Trojan, controlled by the attacker through the cloud, on the local network. 

The Trojan-downloader RedCurl.Dropper served as the attackers' pass to the targeted system that installed and launched other malware modules. Like the group's other custom tools, the dropper was written in PowerShell—a task automation and configuration management framework from Microsoft

RedCurl's main goal is to steal documentation from the victim's infrastructure and business emails. After gaining access to the target network, the cybercriminals scan the list of folders and office documents accessible from the infected computer. 

Information about them is sent to the cloud, after which a RedCurl operator decides which folders and files should be uploaded. 

At the same time, all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx found on network drives are replaced with modified LNK shortcuts. When such a file is opened by a user, RedCurl.Dropper is launched. This helps RedCurl infect new machines within the victim organisation and propagate across the system. 

The attackers also seek to steal email credentials. To do so, RedCurl uses the LaZagne tool, which extracts passwords from memory and from files saved in the victim's web browser. 

If RedCurl fails to obtain the data required, it uses a Windows PowerShell script that displays a phishing pop-up Microsoft Outlook window to the victim. 

After gaining access to the victim's email, RedCurl uses another PowerShell script to analyse and upload all documents of interest to cloud storages. 

Covering traces

As part of incident response engagements related to RedCurl's attacks, Group-IB's DFIR specialists discovered that, after gaining initial access to the victim's network, the group remains there for two to six months. 

The RedCurl.Dropper Trojan, like the group's other tools, does not connect directly to the attackers' C&C server. All communication between the victim's infrastructure and the attackers is ensured through legitimate cloud storages such as Cloudme, koofr.net, pcloud.com etc instead. 

All commands are passed as PowerShell scripts. This allows RedCurl to remain undetected by traditional security solutions for a long time. 

"As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world," said Rustam Mirkasymov, the head of Malware Dynamic Analysis Team at Group-IB. 

For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada. Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect. 

The contents of the victim's documents and records can be much more valuable than the contents of their own wallets. 

Despite the lack of direct financial damage, which is typical of financially motivated cybercriminal groups, the consequences of espionage can amount to tens of millions of dollars. 

"We continue to track RedCurl's new attacks worldwide. The lack of indicators and technical data about RedCurl makes it easier for the threat actor to continue their activity while also making it difficult to identify group attacks at an early stage," said Mirkasymov.

Group-IB therefore decided to release a technical report containing indicators of compromise, which organisations can use to check their networks for signs of RedCurl infections.