A group of cyber espionage hackers has resurfaced after a seven-month hiatus with new intrusions targeting four companies this year, including one of Russia’s largest wholesale stores, while simultaneously making tactical improvements to its entire business. ‘tools to try to thwart the analysis.
“In each attack, the threat actor demonstrates extensive red teaming skills and the ability to bypass traditional antivirus detection using their own custom malware,” said Ivan Pisarev of Group-IB.
Active since at least November 2018, the Russian-speaking hacking group RedCurl has been linked to 30 attacks to date for corporate cyber espionage and document theft targeting 14 organizations spanning the construction, finance, consulting, retail, insurance and law. and located in UK, Germany, Canada, Norway, Russia and Ukraine.
The threat actor uses a range of established hacking tools to infiltrate his targets and steal internal company documentation, such as personnel records, court and legal records, and email history. company, with collective expenses ranging from two to six months between the initial infection and the time the data is actually stolen.
RedCurl’s modus operandi marks a difference from other adversaries, not least because it doesn’t deploy backdoors and doesn’t rely on post-mining tools like CobaltStrike and Meterpreter, both of which are considered typical methods of remotely controlling compromised devices. Moreover, despite maintaining entrenched access, the group has not been observed carrying out attacks motivated by financial gain and involving the encryption of the victim’s infrastructure or the demand for ransoms for them. stolen data.
Rather, the emphasis appears to be on obtaining valuable information as covertly as possible using a combination of self-developed and publicly available programs to gain initial access using social engineering means, perform a recognition, obtain persistence, move sideways and exfiltrate sensitive documents.
“Espionage in cyberspace is a hallmark of advanced state-sponsored persistent threats,” the researchers said. “In most cases, such attacks target other states or crown corporations. Corporate cyber espionage is still a relatively rare event and, in many ways, unique. However, it is possible that the group’s success will lead to a new trend in cybercrime. . “