RedCurl APT Uses Spear Phishing to Conduct Corporate Espionage

spear phishing attack cyber espionageA previously unobserved APT group called “RedCurl” has been launching cyber espionage campaigns against organizations around the world since at least 2018, according to researchers at Group-IB. The researchers say the group has launched at least 26 attacks against 14 organizations located in Canada, Germany, Norway, Russia, Ukraine, and the United Kingdom. Based on RedCurl’s seemingly arbitrary targeting pattern and the type of material it steals, the researchers suspect that the group consists of hackers-for-hire conducting corporate espionage for clients.

“[RedCurl] has conducted 26 targeted attacks on commercial organizations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law, and travel,” the researchers write. “In all campaigns, RedCurl’s main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction.”

RedCurl sends spear phishing emails posing as real employees to induce victims into downloading the group’s custom malware.

“As with all subsequent campaigns, the initial compromise vector was a well-written phishing email,” Group-IB says. “The group performed in-depth intelligence of the victim’s infrastructure: each email targeted a specific team rather than the organization as a whole. Most often, the attackers posed as HR staff at the targeted organization and sent emails to multiple employees in the same department, which made the victims less vigilant. For example, the employees would receive the same email about annual bonuses. The spear-phishing email content was always carefully drafted. For instance, the emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.”

The links in the emails led to malware downloads hosted on legitimate cloud services so users wouldn’t suspect that the links were malicious. Once the malware was installed, its operators would begin exfiltrating data from the infected system. The malware also replaces files on network drives with tampered shortcut files so that whenever one of the files is opened, the malware’s dropper is launched in the background. This enables the malware to spread to other hosts on the network.

Rustam Mirkasymov, the head of Group-IB’s Malware Dynamic Analysis Team, pointed out that corporate espionage is an extremely costly problem.

“As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world,” Mirkasymov said. “For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada. Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect. The contents of the victim’s documents and records can be much more valuable than the contents of their own wallets. Despite the lack of direct financial damage, which is typical of financially motivated cybercriminal groups, the consequences of espionage can amount to tens of millions of dollars.”

New-school security awareness training can enable your employees to recognize and report any suspicious emails. In this case, the attackers sent the same spear phishing emails to multiple employees within the same department, and only one of them had to click the link for the attack to succeed.

Group-IB has the story.

Free Phishing Security Test

Would your users fall for convincing phishing attacks? Take the first step now and find out before the bad guys do. Plus, see how you stack up against your peers with phishing Industry Benchmarks. The Phish-prone percentage is usually higher than you expect and is great ammo to get budget.

PST ResultsHere's how it works:

  • Immediately start your test for up to 100 users (no need to talk to anyone)
  • Select from 20+ languages and customize the phishing test template based on your environment
  • Choose the landing page your users see after they click
  • Show users which red flags they missed, or a 404 page
  • Get a PDF emailed to you in 24 hours with your Phish-prone % and charts to share with management
  • See how your organization compares to others in your industry

Go Phishing Now!

PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser:

Subscribe To Our Blog

Ransomware Hostage Rescue Manual

Get the latest about social engineering

Subscribe to CyberheistNews