RedCurl

RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.^[1] RedCurl is allegedly a Russian-speaking threat actor.^[1]^[2] The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.

ID: G1039

Contributors: Joe Gumke, U.S. Bank

Version: 1.0

Created: 23 September 2024

Last Modified: 23 September 2024

Techniques Used

Domain	ID		Name	Use
Enterprise	T1555	.003	从密码存储中获取凭证: Credentials from Web Browsers	RedCurl used LaZagne to obtain passwords from web browsers.^[1]^[2]
Enterprise	T1005		从本地系统获取数据	RedCurl has collected data from the local disk of compromised hosts.^[1]^[2]
Enterprise	T1039		从网络共享驱动器获取数据	RedCurl has collected data about network drives.^[1]^[2]
Enterprise	T1537		传输数据至云账户	RedCurl has used cloud storage to exfiltrate data, in particular the megatools utilities were used to exfiltrate data to Mega, a file storage service.^[1]^[2]
Enterprise	T1036	.005	伪装: Match Legitimate Name or Location	RedCurl mimicked legitimate file names and scheduled tasks, e.g. `MicrosoftCurrentupdatesCheck` and`MdMMaintenenceTask` to mask malicious files and scheduled tasks.^[1]^[2]
Enterprise	T1199		信任关系	RedCurl has gained access to a contractor to pivot to the victim’s infrastructure.^[3]
Enterprise	T1573	.001	加密通道: Symmetric Cryptography	RedCurl has used AES-128 CBC to encrypt C2 communications.^[2]
		.002	加密通道: Asymmetric Cryptography	RedCurl has used HTTPS for C2 communication.^[1]^[2]
Enterprise	T1547	.001	启动或登录自动启动执行: Registry Run Keys / Startup Folder	RedCurl has established persistence by creating entries in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.^[1]^[2]
Enterprise	T1059	.001	命令与脚本解释器: PowerShell	RedCurl has used PowerShell to execute commands and to download malware.^[1]^[2]^[4]
		.003	命令与脚本解释器: Windows Command Shell	RedCurl has used the Windows Command Prompt to execute commands.^[1]^[2]^[4]
		.005	命令与脚本解释器: Visual Basic	RedCurl has used VBScript to run malicious files.^[1]^[2]
		.006	命令与脚本解释器: Python	RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.^[4]
Enterprise	T1071	.001	应用层协议: Web Protocols	RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.^[1]^[2]
Enterprise	T1587	.001	开发能力: Malware	RedCurl has created its own tools to use during operations.^[3]
Enterprise	T1560	.001	归档收集数据: Archive via Utility	RedCurl has downloaded 7-Zip to decompress password protected archives.^[4]
Enterprise	T1003	.001	操作系统凭证转储: LSASS Memory	RedCurl used LaZagne to obtain passwords from memory.^[1]^[2]
Enterprise	T1083		文件和目录发现	RedCurl has searched for and collected files on local and network drives.^[3]^[1]^[2]
Enterprise	T1552	.001	未加密凭证: Credentials In Files	RedCurl used LaZagne to obtain passwords in files.^[1]^[2]
		.002	未加密凭证: Credentials in Registry	RedCurl used LaZagne to obtain passwords in the Registry.^[1]^[2]
Enterprise	T1080		污染共享内容	RedCurl has placed modified LNK files on network drives for lateral movement.^[1]^[2]
Enterprise	T1027		混淆文件或信息	RedCurl has used malware with string encryption.^[3] RedCurl has also encrypted data and has encoded PowerShell commands using Base64.^[1]^[2] RedCurl has used `PyArmor` to obfuscate code execution of LaZagne. ^[1] Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used `echo`, instead of file names themselves, to execute files.^[4]
Enterprise	T1204	.001	用户执行: Malicious Link	RedCurl has used malicious links to infect the victim machines.^[1]^[2]
		.002	用户执行: Malicious File	RedCurl has used malicious files to infect the victim machines.^[1]^[2]^[4]
Enterprise	T1114	.001	电子邮件收集: Local Email Collection	RedCurl has collected emails to use in future phishing campaigns.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	RedCurl has deleted files after execution.^[1]^[2]^[4]
Enterprise	T1218	.011	系统二进制代理执行: Rundll32	RedCurl has used rundll32.exe to execute malicious files.^[1]^[2]^[4]
Enterprise	T1082		系统信息发现	RedCurl has collected information about the target system, such as system information and list of network connections.^[1]^[2]
Enterprise	T1102		网络服务	RedCurl has used web services to download malicious files.^[1]^[2]
Enterprise	T1046		网络服务发现	RedCurl has used netstat to check if port 4119 is open.^[4]
Enterprise	T1119		自动化收集	RedCurl has used batch scripts to collect data.^[1]^[2]
Enterprise	T1020		自动化渗出	RedCurl has used batch scripts to exfiltrate data.^[1]^[2]
Enterprise	T1087	.001	账号发现: Local Account	RedCurl has collected information about local accounts.^[1]^[2]
		.002	账号发现: Domain Account	RedCurl has collected information about domain accounts using SysInternal’s AdExplorer functionality .^[1]^[2]
		.003	账号发现: Email Account	RedCurl has collected information about email accounts.^[1]^[2]
Enterprise	T1056	.002	输入捕获: GUI Input Capture	RedCurl prompts the user for credentials through a Microsoft Outlook pop-up.^[1]^[2]
Enterprise	T1566	.001	钓鱼: Spearphishing Attachment	RedCurl has used phishing emails with malicious files to gain initial access.^[1]^[4]
		.002	钓鱼: Spearphishing Link	RedCurl has used phishing emails with malicious links to gain initial access.^[1]^[2]
Enterprise	T1202		间接命令执行	RedCurl has used pcalua.exe to obfuscate binary execution and remote connections.^[4]
Enterprise	T1564	.001	隐藏伪装: Hidden Files and Directories	RedCurl added the "hidden" file attribute to original files, manipulating victims to click on malicious LNK files.^[1]^[2]
Enterprise	T1053	.005	预定任务/作业: Scheduled Task	RedCurl has created scheduled tasks for persistence.^[1]^[2]^[4]

RedCurl

Enterprise Layer

Techniques Used

References