Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

RedCurl Corporate Espionage Hackers Resume Attacks with Updated Tools

RedCurl Corporate Espionage Hackers Resume Attacks with Updated Tools

A crew of highly-skilled hackers specialized in corporate espionage has resumed activity, one of their victims this year being a large wholesale company in Russia.

Tracked as RedCurl, the group attacked the Russian business twice this year, each time using carefully constructed spear-phishing emails with initial-stage malware.

Increasing the victim count

Active since 2018, RedCurl is responsible for at least 30 attacks against businesses in Russia (18 of them), Ukraine, Canada, Norway, the UK, and Germany, the latest four of them occurring this year.

Also Read: 6 Simple Guides On PDPA Clause For Agreements Of Personal Data

RedCurl victim geography

The hackers are proficient at staying undetected for long periods, between two and six months, before stealing corporate data (staff records, documents about legal entities, court records, internal files, email history).

Hitting the same company twice

Researchers at cybersecurity company Group-IB noticed a seven-month gap in RedCurl’s activity, which the hackers used to add significant improvements to their set of custom tools and attack methods.

Among the hacker’s latest victims is one of Russia’s largest wholesale companies, which supplies chain stores and other wholesalers with home, office, and leisure goods.

For reasons that remain unknown, RedCurl attacked this company twice, gaining initial access via emails impersonating the company’s human resources department announcing bonuses and the government services portal.

Also Read: The Top 10 Primary GDPR Requirements PDF To Secure Business

RedCurl spear-phishing emails to a large wholesale company in Russia

In both cases, the goal was to deploy on the employee’s computer a malware downloader (RedCurl.InitialDropper) hidden in an attached document that could launch the next stage of the attack.

During the investigation, Group-IB found that the RedCurl extended the attack chain to five stages, from the previously observed three or four steps.

Typical RedCurl kill chain

The hackers were careful not to raise any suspicion when the recipient opened the malicious document that launched the initial dropper, so they included a well-crafted decoy file with content related to the organization.

The dropper would fetch the RedCurl.Downloader tool, which collected info about the infected machine and delivered it to a command and control server (C2), and also initiated the next stage of the attack.

Updated toolset

Group-IB discovered that the hackers now used RedCurl.Extractor, a modified version of the RedCurl.Dropper they found in previous attacks from this threat actor.

The purpose of this tool was only to prepare the final step of the attack, which involved achieving persistence on the system.

The researchers note that RedCurl has shifted from the typical use of batch and PowerShell scripts to executable files and that antivirus software failed to detect the initial infection or the attacker moving laterally on the victim network.

However, the improvements to RedCurl’s toolset appear to have been rushed, as Group-IB discovered a logical error in one of the commands. One explanation is that the group had little time to start the attack and could not properly test their tools.

Group-IB has published a report today with indicators of compromise and technical information on RedCurl’s updated set of tools and their functionality:

  • RedCurl.InitialDropper: LNK file used in the initial infection stage, downloads batch or PowerShell scripts from the C2 that get malware for the next step
  • RedCurl.Downloader (new tool): intermediary stage downloader that collects data about the infected system, downloads and deploys malware for the next stage
  • RedCurl.Extractor: DLL file equivalent to RedCurl.Dropper, extracts the legitimate 7-Zip utility, downloads and installs the next stage malware
  • RedCurl.FSABIN: binary equivalent of the old RedCurl.FirstStageAgent, gets commands from hacker-controlled HTTP servers
  • RedCurl.CHABIN1: a fork of FSABIN
  • RedCurl.CHABIN2: similar to CHABIN1, determines the proxy server settings to connect the infected system to servers controlled by the hackers

Despite not being as active as in other years, RedCurl maintains its sophistication and remains an advanced threat actor capable to stay undetected for months.

Group-IB says that of the four attacks identified this year, two were against the same target. However, they expect more victims to appear since RedCurl’s updated tools have been detected in the wild with increased frequency.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us