G1039 RedCurl
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.1 RedCurl is allegedly a Russian-speaking threat actor.12 The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
| Item | Value |
|---|---|
| ID | G1039 |
| Associated Names | |
| Version | 1.0 |
| Created | 23 September 2024 |
| Last Modified | 23 September 2024 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | RedCurl has collected information about local accounts.12 |
| enterprise | T1087.002 | Domain Account | RedCurl has collected information about domain accounts using SysInternal’s AdExplorer functionality .12 |
| enterprise | T1087.003 | Email Account | RedCurl has collected information about email accounts.12 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.12 |
| enterprise | T1560 | Archive Collected Data | - |
| enterprise | T1560.001 | Archive via Utility | RedCurl has downloaded 7-Zip to decompress password protected archives.4 |
| enterprise | T1119 | Automated Collection | RedCurl has used batch scripts to collect data.12 |
| enterprise | T1020 | Automated Exfiltration | RedCurl has used batch scripts to exfiltrate data.12 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | RedCurl has established persistence by creating entries in HKCU\Software\Microsoft\Windows\CurrentVersion\Run.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | RedCurl has used PowerShell to execute commands and to download malware.124 |
| enterprise | T1059.003 | Windows Command Shell | RedCurl has used the Windows Command Prompt to execute commands.124 |
| enterprise | T1059.005 | Visual Basic | RedCurl has used VBScript to run malicious files.12 |
| enterprise | T1059.006 | Python | RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.4 |
| enterprise | T1555 | Credentials from Password Stores | - |
| enterprise | T1555.003 | Credentials from Web Browsers | RedCurl used LaZagne to obtain passwords from web browsers.12 |
| enterprise | T1005 | Data from Local System | RedCurl has collected data from the local disk of compromised hosts.12 |
| enterprise | T1039 | Data from Network Shared Drive | RedCurl has collected data about network drives.12 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.001 | Malware | RedCurl has created its own tools to use during operations.3 |
| enterprise | T1114 | Email Collection | - |
| enterprise | T1114.001 | Local Email Collection | RedCurl has collected emails to use in future phishing campaigns.1 |
| enterprise | T1573 | Encrypted Channel | - |
| enterprise | T1573.001 | Symmetric Cryptography | RedCurl has used AES-128 CBC to encrypt C2 communications.2 |
| enterprise | T1573.002 | Asymmetric Cryptography | RedCurl has used HTTPS for C2 communication.12 |
| enterprise | T1083 | File and Directory Discovery | RedCurl has searched for and collected files on local and network drives.312 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.001 | Hidden Files and Directories | RedCurl added the “hidden” file attribute to original files, manipulating victims to click on malicious LNK files.12 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | RedCurl has deleted files after execution.124 |
| enterprise | T1202 | Indirect Command Execution | RedCurl has used pcalua.exe to obfuscate binary execution and remote connections.4 |
| enterprise | T1056 | Input Capture | - |
| enterprise | T1056.002 | GUI Input Capture | RedCurl prompts the user for credentials through a Microsoft Outlook pop-up.12 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | RedCurl mimicked legitimate file names and scheduled tasks, e.g. MicrosoftCurrentupdatesCheck and |
MdMMaintenenceTask to mask malicious files and scheduled tasks.12 |
|||
| enterprise | T1046 | Network Service Discovery | RedCurl has used netstat to check if port 4119 is open.4 |
| enterprise | T1027 | Obfuscated Files or Information | RedCurl has used malware with string encryption.3 RedCurl has also encrypted data and has encoded PowerShell commands using Base64.12 RedCurl has used PyArmor to obfuscate code execution of LaZagne. 1 Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used echo, instead of file names themselves, to execute files.4 |
| enterprise | T1003 | OS Credential Dumping | - |
| enterprise | T1003.001 | LSASS Memory | RedCurl used LaZagne to obtain passwords from memory.12 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | RedCurl has used phishing emails with malicious files to gain initial access.14 |
| enterprise | T1566.002 | Spearphishing Link | RedCurl has used phishing emails with malicious links to gain initial access.12 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | RedCurl has created scheduled tasks for persistence.124 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.011 | Rundll32 | RedCurl has used rundll32.exe to execute malicious files.124 |
| enterprise | T1082 | System Information Discovery | RedCurl has collected information about the target system, such as system information and list of network connections.12 |
| enterprise | T1080 | Taint Shared Content | RedCurl has placed modified LNK files on network drives for lateral movement.12 |
| enterprise | T1537 | Transfer Data to Cloud Account | RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.12 |
| enterprise | T1199 | Trusted Relationship | RedCurl has gained access to a contractor to pivot to the victim’s infrastructure.3 |
| enterprise | T1552 | Unsecured Credentials | - |
| enterprise | T1552.001 | Credentials In Files | RedCurl used LaZagne to obtain passwords in files.12 |
| enterprise | T1552.002 | Credentials in Registry | RedCurl used LaZagne to obtain passwords in the Registry.12 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | RedCurl has used malicious links to infect the victim machines.12 |
| enterprise | T1204.002 | Malicious File | RedCurl has used malicious files to infect the victim machines.124 |
| enterprise | T1102 | Web Service | RedCurl has used web services to download malicious files.12 |
References
-
Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on ‘major Russian bank,’ Australian company. Retrieved August 9, 2024. ↩↩↩↩
-
Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩