RedCurl APT Group Hacks Global Companies for Corporate Espionage

Researchers analyze a presumably Russian-speaking APT group that has been stealing corporate data since 2018.

RedCurl is its name. Corporate espionage is its game.
Security researchers today published findings on a new APT group they claim has been stealing data from organizations around the world as far back as 2018. Since then, RedCurl has targeted at least 14 private companies in 26 attacks designed to steal documents containing commercial secrets and employees personal information.
Its targets span a range of industries and locations. The group has targeted organizations in construction, finance, consulting, retail, banking, insurance, law, and travel; its victims are in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway, researchers report.
Group-IB, a security firm based in Russia and Singapore, says the group is presumably Russian-speaking and launched its earliest known attack in May 2018. The company became aware of the threat in the summer of 2019 when its Computer Emergency Response Team received a call from a customer who said the company had been attacked. Efforts to mitigate the incident revealed especially well-written spear-phishing emails that indicated a planned and targeted attack.
Threat intelligence specialists took an interest and found RedCurl infected computers in specific departments within organizations and only took specific documents. Attackers performed in-depth intelligence on targets infrastructure: Most often, they posed as HR staff and sent emails to multiple employees throughout the same division to make them seem less suspicious.
They have information on who will open their emails, says Rustam Mirkasymov, head of Group-IBs malware dynamic analysis team. They know which guys work in what department, and they attack the whole department, so if someone asks their colleagues if theyve received any such emails, their colleagues will have gotten the same. Its really good preparation.
Content was carefully drafted. For example, the emails displayed the target companys address and logo, while the sender address contained the business domain name. Group-IB highlights how the approach resembles the social-engineering attacks red teams use to test organizations.
To deliver the payload, attackers placed links in the email body to connect with legitimate cloud storage services, researchers explain in an extensive
report
on the threat. Links were disguised so employees wouldnt recognize the deployment of a Trojan-downloader Redcurl.Dropper, which gave the attackers a foothold onto the system and the ability to install and launch other malware modules. Like RedCurls other custom tools, the dropper was written in PowerShell.
Mirkasymov notes the use of cloud services helps RedCurl fly under victims radar. They dont pursue lateral movement or use active Trojans or RDP connections. They simply send a link and wait for victims to click. RedCurl.Dropper establishes connections with cloud storage services such as Cloudme, koofr.net, pcloud.com, and others.
Thats why its not easy to detect their activity, he says. Theyre really slow and silent.
Corporate Espionage: A New Threat to Watch
RedCurls activity varies depending on its target. Spear-phishing attacks are sent to different levels depending on the business: In an attack on a German company, they went to high-level staff; in others against firms in Russia and Canada, midlevel employees were targeted.
Similarly, the data stolen varied from business to business. RedCurl has taken contracts, financial documents, employee personal records, and records of legal action and facility construction. Mirkasymov notes RedCurl has taken investigation cases from law and consulting firms, and employee profiles containing polygraph test results from retailers.
When researchers poked around the underground forums, they didnt find any traces of these documents, so it doesnt appear RedCurl tried to sell it. Mirkasymov speculates someone hired the attackers to steal the information. The focus on corporate espionage is further supported by the geographical and industry range of RedCurls victims.
There is no indication who might have hired RedCurl, where they might be based, or who is behind these attacks, he adds. The group is fairly new, and researchers hope to learn more over time.
Corporate espionage is not something that were used to on the cyberscene, Mirkasymov says. Researchers believe the frequency of these attacks indicates its likely to become more widespread in the future.
They also noticed attackers seek email credentials: RedCurl uses the LaZagne tool, which extracts passwords from memory and files saved in the browser. If this doesnt work, it uses a PowerShell script that displays an Outlook window to snatch the victims email address. They can then use another script to upload documents to the attacker-controlled cloud storage.
Related Content:
Emotet Return Brings New Tactics & Evasion Techniques
Kr00k, KRACK, and the Seams in Wi-Fi, IoT Encryption
A Rogues Gallery of MacOS Malware
The Threat from the Internet—and What Your Organization Can Do About It

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
RedCurl APT Group Hacks Global Companies for Corporate Espionage