RedCurl: The Security research Group-IB has identified a new Russian speaking threat actor that has reportedly been carrying out attacks over the past three years. Focusing on corporate espionage, the group has been targeting companies all over the world, stealing documents that contain commercial secrets and employee data. Since originally discovered in 2019, Group-IB has found a total of 26 separate attacks against 14 different organizations. Industries targeted included construction companies, retailers, travel agencies, insurance companies, banks, and law firms. It was discovered that the group did not use complex tools or attack methods during their campaigns and instead utilized spear-phishing attacks for initial access. However, the group did take time to personalize their phishing emails by incorporating the target companies’ logo and the sender’s address contained the same domain name as the target company. The emails contained links to malicious files for the victims to download. Once the file had been downloaded, the victim’s computer was infected with a collection of PowerShell-based trojans. The threat actor typically stayed active in a network for two to six months.
Analyst Notes
New groups are always being discovered by researchers. This group avoided detection for many years by using less-complex methods to infect companies. Now that the group has been identified, they may start to change their tactics to continue to infect victims. RedCurl used the WebDAV protocol as a data exfiltration channel similar to other threat actors such as CloudAtlas and RedOctober. However, no overlap between the groups has been discovered.
More can be read here: https://www.zdnet.com/article/redcurl-cybercrime-group-has-hacked-companies-for-three-years/
