RedCurl APT Uses Spear Phishing to Conduct Corporate Espionage

A previously unobserved APT group called “RedCurl” has been launching cyber espionage campaigns against organizations around the world since at least 2018, according to researchers at Group-IB. The researchers say the group has launched at least 26 attacks against 14 organizations located in Canada, Germany, Norway, Russia, Ukraine, and the United Kingdom. Based on RedCurl’s seemingly arbitrary targeting pattern and the type of material it steals, the researchers suspect that the group consists of hackers-for-hire conducting corporate espionage for clients.

“[RedCurl] has conducted 26 targeted attacks on commercial organizations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law, and travel,” the researchers write. “In all campaigns, RedCurl’s main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction.”

RedCurl sends spear phishing emails posing as real employees to induce victims into downloading the group’s custom malware.

“As with all subsequent campaigns, the initial compromise vector was a well-written phishing email,” Group-IB says. “The group performed in-depth intelligence of the victim’s infrastructure: each email targeted a specific team rather than the organization as a whole. Most often, the attackers posed as HR staff at the targeted organization and sent emails to multiple employees in the same department, which made the victims less vigilant. For example, the employees would receive the same email about annual bonuses. The spear-phishing email content was always carefully drafted. For instance, the emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.”

The links in the emails led to malware downloads hosted on legitimate cloud services so users wouldn’t suspect that the links were malicious. Once the malware was installed, its operators would begin exfiltrating data from the infected system. The malware also replaces files on network drives with tampered shortcut files so that whenever one of the files is opened, the malware’s dropper is launched in the background. This enables the malware to spread to other hosts on the network.

Rustam Mirkasymov, the head of Group-IB’s Malware Dynamic Analysis Team, pointed out that corporate espionage is an extremely costly problem.

“As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world,” Mirkasymov said. “For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada. Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect. The contents of the victim’s documents and records can be much more valuable than the contents of their own wallets. Despite the lack of direct financial damage, which is typical of financially motivated cybercriminal groups, the consequences of espionage can amount to tens of millions of dollars.”

New-school security awareness training can enable your employees to recognize and report any suspicious emails. In this case, the attackers sent the same spear phishing emails to multiple employees within the same department, and only one of them had to click the link for the attack to succeed.

Group-IB has the story.