Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:50 PM
Connect Directly

RedCurl APT Group Hacks Global Companies for Corporate Espionage

Researchers analyze a presumably Russian-speaking APT group that has been stealing corporate data since 2018.

RedCurl is its name. Corporate espionage is its game.

Security researchers today published findings on a new APT group they claim has been stealing data from organizations around the world as far back as 2018. Since then, RedCurl has targeted at least 14 private companies in 26 attacks designed to steal documents containing commercial secrets and employees' personal information.

Its targets span a range of industries and locations. The group has targeted organizations in construction, finance, consulting, retail, banking, insurance, law, and travel; its victims are in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway, researchers report.

Group-IB, a security firm based in Russia and Singapore, says the group is presumably Russian-speaking and launched its earliest known attack in May 2018. The company became aware of the threat in the summer of 2019 when its Computer Emergency Response Team received a call from a customer who said the company had been attacked. Efforts to mitigate the incident revealed especially well-written spear-phishing emails that indicated a planned and targeted attack.

Threat intelligence specialists took an interest and found RedCurl infected computers in specific departments within organizations and only took specific documents. Attackers performed in-depth intelligence on targets' infrastructure: Most often, they posed as HR staff and sent emails to multiple employees throughout the same division to make them seem less suspicious.

"They have information on who will open their emails," says Rustam Mirkasymov, head of Group-IB's malware dynamic analysis team. "They know which guys work in what department, and they attack the whole department, so if someone asks their colleagues if they've received any such emails, their colleagues will have gotten the same. It's really good preparation."

Content was carefully drafted. For example, the emails displayed the target company's address and logo, while the sender address contained the business' domain name. Group-IB highlights how the approach resembles the social-engineering attacks red teams use to test organizations.

To deliver the payload, attackers placed links in the email body to connect with legitimate cloud storage services, researchers explain in an extensive report on the threat. Links were disguised so employees wouldn't recognize the deployment of a Trojan-downloader Redcurl.Dropper, which gave the attackers a foothold onto the system and the ability to install and launch other malware modules. Like RedCurl's other custom tools, the dropper was written in PowerShell.

Mirkasymov notes the use of cloud services helps RedCurl fly under victims' radar. They don't pursue lateral movement or use active Trojans or RDP connections. They simply send a link and wait for victims to click. RedCurl.Dropper establishes connections with cloud storage services such as Cloudme, koofr.net, pcloud.com, and others.

"That's why it's not easy to detect their activity," he says. "They're really slow and silent."

Corporate Espionage: A New Threat to Watch
RedCurl's activity varies depending on its target. Spear-phishing attacks are sent to different levels depending on the business: In an attack on a German company, they went to high-level staff; in others against firms in Russia and Canada, midlevel employees were targeted.

Similarly, the data stolen varied from business to business. RedCurl has taken contracts, financial documents, employee personal records, and records of legal action and facility construction. Mirkasymov notes RedCurl has taken investigation cases from law and consulting firms, and employee profiles containing polygraph test results from retailers. 

When researchers poked around the underground forums, they didn't find any traces of these documents, so it doesn't appear RedCurl tried to sell it. Mirkasymov speculates someone hired the attackers to steal the information. The focus on corporate espionage is further supported by the geographical and industry range of RedCurl's victims.

There is no indication who might have hired RedCurl, where they might be based, or who is behind these attacks, he adds. The group is fairly new, and researchers hope to learn more over time.

"Corporate espionage is not something that we're used to on the cyberscene," Mirkasymov says. Researchers believe the frequency of these attacks indicates it's likely to become more widespread in the future.

They also noticed attackers seek email credentials: RedCurl uses the LaZagne tool, which extracts passwords from memory and files saved in the browser. If this doesn't work, it uses a PowerShell script that displays an Outlook window to snatch the victim's email address. They can then use another script to upload documents to the attacker-controlled cloud storage.

Related Content:


Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-22
The FileImporter extension in MediaWiki through 1.35.0 was not properly attributing various user actions to a specific user's IP address. Instead, for various actions, it would report the IP address of an internal Wikimedia Foundation server by omitting X-Forwarded-For data. This resulted in an inab...
PUBLISHED: 2020-10-22
The Cosmos Skin for MediaWiki through 1.35.0 has stored XSS because MediaWiki messages were not being properly escaped. This is related to wfMessage and Html::rawElement, as demonstrated by CosmosSocialProfile::getUserGroups.
PUBLISHED: 2020-10-22
In Python 3 through 3.9.0, the Lib/test/multibytecodec_support.py CJK codec tests call eval() on content retrieved via HTTP.
PUBLISHED: 2020-10-21
WSO2 API Manager 3.1.0 and earlier has reflected XSS on the "publisher" component's admin interface. More precisely, it is possible to inject an XSS payload into the owner POST parameter, which does not filter user inputs. By putting an XSS payload in place of a valid Owner Name, a modal b...
PUBLISHED: 2020-10-21
Adobe InDesign version 15.1.2 (and earlier) is affected by a memory corruption vulnerability due to insecure handling of a malicious .indd file, potentially resulting in arbitrary code execution in the context of the current user. User interaction is required to exploit this vulnerability.