Group-IB uncovers corporate espionage group RedCurl
Skip to main content
  • Home
  • Economy
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
  • Epaper
  • More
    • Subscribe
    • COVID-19
    • Bangladesh
    • Splash
    • Videos
    • Games
    • Long Read
    • Infograph
    • Interviews
    • Offbeat
    • Thoughts
    • Podcast
    • Quiz
    • Tech
    • Archive
    • Trial By Trivia
    • Magazine
    • Supplement
  • বাংলা
The Business Standard

Monday
August 15, 2022

Sign In
Subscribe
  • Home
  • Economy
  • Stocks
  • Analysis
  • World+Biz
  • Sports
  • Features
  • Epaper
  • More
    • Subscribe
    • COVID-19
    • Bangladesh
    • Splash
    • Videos
    • Games
    • Long Read
    • Infograph
    • Interviews
    • Offbeat
    • Thoughts
    • Podcast
    • Quiz
    • Tech
    • Archive
    • Trial By Trivia
    • Magazine
    • Supplement
  • বাংলা
MONDAY, AUGUST 15, 2022
Group-IB uncovers corporate espionage group RedCurl

Tech

TBS Report
13 August, 2020, 10:25 pm
Last modified: 13 August, 2020, 10:31 pm

Related News

  • The uptick in cyber crimes and what to do about it 
  • ISSA holds cyber digital transformation Summit
  • ‘You cannot stop cyber-attacks. Our target is to minimise the damage’ 
  • MIST holds workshop on cyber security in financial sector
  • Majority of banks at high cyber risks: BIBM study

Group-IB uncovers corporate espionage group RedCurl

Since 2018, RedCurl conducted 26 targeted attacks on commercial organisations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law and travel

TBS Report
13 August, 2020, 10:25 pm
Last modified: 13 August, 2020, 10:31 pm

Singapore-based cybersecurity company Group-IB has released an analytical report on the previously unknown advanced persistent threat (APT) group RedCurl, which focuses on corporate espionage. 

APT uses sophisticated hacking techniques to gain access to a system and remain inside for a prolonged period of time, according to Kaspersky, a world-leading cybersecurity solution provider. 

Because of this, the advanced persistent threat is particularly dangerous for enterprises as hackers have ongoing access to sensitive company data. 

RedCurl attacked dozens of targets all over the world—from Russia to Canada–in less than three years. A presumably Russian-speaking group conducts thoroughly planned attacks on private companies across numerous industries using a unique toolset. 

The attackers seek to steal documents that contain commercial secrets and employee personal data. 

According to Group-IB experts, corporate espionage has so far been a rare phenomenon on the hacker scene, but the frequency of such attacks these days suggests that it is likely to become more widespread in the future.  

Group-IB's new research contains the first-ever description of RedCurl's tactics, tools, and infrastructure. The report titled "RedCurl: The pentest you didn't know about" includes details about the group's kill chain discovered by Group-IB's Digital Forensics and Incident Response (DFIR) specialists. 

The report also contains unique data that Group-IB, a provider of solutions aimed at detection and prevention of cyberattacks, online fraud, IP protection and high-profile cyber investigations, collected during incident response engagements related to campaigns attributed to RedCurl. 

From Russia to Canada 

The APT group RedCurl, discovered by Group-IB Threat Intelligence experts, has been active since at least 2018. Since then, it has conducted 26 targeted attacks on commercial organisations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law and travel. 

RedCurl does not have a clear geographical link to any region. But its victims are located in Russia, Ukraine, the United Kingdom, Germany, Canada and Norway. 

As part of its activities, the group acted as covertly as possible to minimise the risk of being discovered on the victim's network. In all campaigns, RedCurl's main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction. 

This could indicate that RedCurl's attacks might have been commissioned for the purpose of corporate espionage. 

It is noteworthy that one of the group's possible victims was an employee of a cybersecurity company that protects its customers against such very attacks. 

In total, Group-IB has identified 14 organisations that fell victim to RedCurl's espionage, some on several occasions. Group-IB specialists contacted each of them. Currently, some of the affected companies continue to respond to the incidents.    

Who are you, Mr Pentester?

The earliest known RedCurl attack dates back to May 2018. As with all subsequent campaigns, the initial compromise vector was a well-written phishing email. 

The group performed in-depth intelligence of the victim's infrastructure: each email targeted a specific team rather than the organisation as a whole. 

Most often, the attackers posed as HR staff at the targeted organisation and sent emails to multiple employees in the same department, which made the victims less vigilant. 

For example, the employees would receive the same email about annual bonuses. 

The spear-phishing email content was always carefully drafted. For instance, the emails displayed the targeted company's address and logo, while the sender address featured the company's domain name. 

Group-IB Threat Intelligence experts highlight that RedCurl's approach resembles social engineering attacks that red teaming specialists usually conduct to test an organisation's ability to combat advanced cyber-attacks using techniques and tools from hacker groups' arsenals. 

Tricky cloud 

To deliver the payload, RedCurl used archives, and links which were placed in the email body and led to legitimate cloud storage services. 

The links were disguised so that the victim would not suspect that opening the attached document about bonuses from the supposedly official website would deploy a Trojan, controlled by the attacker through the cloud, on the local network. 

The Trojan-downloader RedCurl.Dropper served as the attackers' pass to the targeted system that installed and launched other malware modules. Like the group's other custom tools, the dropper was written in PowerShell—a task automation and configuration management framework from Microsoft

RedCurl's main goal is to steal documentation from the victim's infrastructure and business emails. After gaining access to the target network, the cybercriminals scan the list of folders and office documents accessible from the infected computer. 

Information about them is sent to the cloud, after which a RedCurl operator decides which folders and files should be uploaded. 

At the same time, all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx found on network drives are replaced with modified LNK shortcuts. When such a file is opened by a user, RedCurl.Dropper is launched. This helps RedCurl infect new machines within the victim organisation and propagate across the system. 

The attackers also seek to steal email credentials. To do so, RedCurl uses the LaZagne tool, which extracts passwords from memory and from files saved in the victim's web browser. 

If RedCurl fails to obtain the data required, it uses a Windows PowerShell script that displays a phishing pop-up Microsoft Outlook window to the victim. 

After gaining access to the victim's email, RedCurl uses another PowerShell script to analyse and upload all documents of interest to cloud storages. 

Covering traces

As part of incident response engagements related to RedCurl's attacks, Group-IB's DFIR specialists discovered that, after gaining initial access to the victim's network, the group remains there for two to six months. 

The RedCurl.Dropper Trojan, like the group's other tools, does not connect directly to the attackers' C&C server. All communication between the victim's infrastructure and the attackers is ensured through legitimate cloud storages such as Cloudme, koofr.net, pcloud.com etc instead. 

All commands are passed as PowerShell scripts. This allows RedCurl to remain undetected by traditional security solutions for a long time. 

"As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world," said Rustam Mirkasymov, the head of Malware Dynamic Analysis Team at Group-IB. 

For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada. Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect. 

The contents of the victim's documents and records can be much more valuable than the contents of their own wallets. 

Despite the lack of direct financial damage, which is typical of financially motivated cybercriminal groups, the consequences of espionage can amount to tens of millions of dollars. 

"We continue to track RedCurl's new attacks worldwide. The lack of indicators and technical data about RedCurl makes it easier for the threat actor to continue their activity while also making it difficult to identify group attacks at an early stage," said Mirkasymov.

Group-IB therefore decided to release a technical report containing indicators of compromise, which organisations can use to check their networks for signs of RedCurl infections.

Top News

Group-IB / RedCurl / Cyber Security

Comments

While most comments will be posted if they are on-topic and not abusive, moderation decisions are subjective. Published comments are readers’ own views and The Business Standard does not endorse any of the readers’ comments.

Top Stories

  • Fuel prices to be cut once they drop globally: PM
    Fuel prices to be cut once they drop globally: PM
  • Banks limited to profit highest Tk1 per dollar
    Banks limited to profit highest Tk1 per dollar
  • From left Afzal Karim, Murshedul Kabir and Mohammad Jahangir
    Sonali, Agrani and Rupali banks get new MDs

MOST VIEWED

  • Don’t let regulations hurt OTT platform growth: Stakeholders
    Don’t let regulations hurt OTT platform growth: Stakeholders
  • Sketch: TBS
    What do the artists think about AI image generators?
  • Passkeys: Microsoft, Google and Apple’s commitment to a secure passwordless future
    Passkeys: Microsoft, Google and Apple’s commitment to a secure passwordless future
  • YouTube. Photo: Collected
    YouTube plans to launch streaming video service
  • DALL-E created an image from “A bowl of soup that is a portal to another dimension as digital art” text description. Photo: OpenAI
    DALL-E: Potential to usher in a creative revolution
  • Samsung unveils next gen foldables at 'Galaxy Unpacked'
    Samsung unveils next gen foldables at 'Galaxy Unpacked'

Related News

  • The uptick in cyber crimes and what to do about it 
  • ISSA holds cyber digital transformation Summit
  • ‘You cannot stop cyber-attacks. Our target is to minimise the damage’ 
  • MIST holds workshop on cyber security in financial sector
  • Majority of banks at high cyber risks: BIBM study

Features

Photos: M Aminur Rahman

Mallik Ghat flower market: the biggest hub for flowers in Asia

13h | In Focus
Infigraphic: TBS

The dollar crunch chronicles

19h | Panorama
The proposed playground for disabled people has long been left to grow bushes on the premises of the National Parliament Building in the city. Photo: Noor-A-Alam

Whatever happened to the ‘promised land’ for the disabled?

17h | Panorama
Sketch: TBS

India’s 75th anniversary is one to forget

16h | Panorama

More Videos from TBS

"We got caught in the cyclone while shooting Hawa"

"We got caught in the cyclone while shooting Hawa"

7h | Videos
Get your child's Covid vaccine registration done in few easy steps

Get your child's Covid vaccine registration done in few easy steps

7h | Videos
UN expresses concern over Ukraine's Zaporizhia nuke plant

UN expresses concern over Ukraine's Zaporizhia nuke plant

8h | Videos
ADB's $9.46B coming to cover development costs

ADB's $9.46B coming to cover development costs

10h | Videos

Most Read

1
Dollar crisis: BB orders removal of 6 banks’ treasury chiefs 
Banking

Dollar crisis: BB orders removal of 6 banks’ treasury chiefs 

2
From left Afzal Karim, Murshedul Kabir and Mohammad Jahangir
Banking

Sonali, Agrani and Rupali banks get new MDs

3
Photo: Collected
Transport

Will Tokyo’s traffic model solve Dhaka’s gridlocks?

4
Representational Image. Photo: Collected
Bangladesh

Air passengers should plan extra commute time to airport: DMP

5
Arrest warrant against Habib Group chairman, 4 others 
Crime

Arrest warrant against Habib Group chairman, 4 others 

6
Ambassador of Switzerland to Bangladesh Nathalie Chuard. Photo: Courtesy
Bangladesh

Bangladesh never asked for particular info from Swiss bank: Ambassador

EMAIL US
[email protected]
FOLLOW US
WHATSAPP
+880 1847416158
The Business Standard
  • About Us
  • Contact us
  • Sitemap
  • Privacy Policy
  • Comment Policy
Copyright © 2022
The Business Standard All rights reserved
Technical Partner: RSI Lab

Contact Us

The Business Standard

Main Office -4/A, Eskaton Garden, Dhaka- 1000

Phone: +8801847 416158 - 59

Send Opinion articles to - [email protected]

For advertisement- [email protected]