A Russian-speaking hacking group called RedCurl has been linked for the first time to a ransomware campaign that marks the departure of a merchant of threat actors.
Activities observed by Romanian cybersecurity company BitDefender include the unprecedented development of ransomware stocks, called QWCrypt.
Redcurl, also known as Earth Capre and Redwolf, has a history of coordinating corporate spy attacks targeting a variety of entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the UK and the US. It has been known to be active since at least November 2018.
The attack chain documented by Group-IB in 2020 required the use of spear phishing emails, including human resources (HR)-themed lures, to activate the malware deployment process. Earlier this January, Huntress deployed a loader called the Red Loader, sprayed with a “simple backdoor feature” that was fitted with detailed attacks installed by threat actors targeting several Canadian organizations.
Then last month, Canadian cybersecurity company Esentire revealed the use of a spam PDF attachment equipped with CVS and cover letters for sideloading loader malware using the legitimate Adobe executable “AdnotificationManager.exe”.
The attack sequence detailed by BitDefender traces the same steps as using a Multitable Disk Image (ISO) file to impersonate a CVS to initiate a multistage infection procedure. What resides in the disk image is a file that mimics Windows Screensaver (SCR), but in reality it is the AdnotificationManager.exe binary used to run the loader (“Netutils.dll”) using DLL sideload.
“After execution, netutils.dll immediately launches a shellexecutea call with an open verb and directs the victim’s browser to https://secure.indeed.com/auth,” said Martin Zugec, director of technical solutions at Bitdefender, in a report shared with Hacker News.
“This will give you a legitimate login page. It is a calculated distraction designed to mislead the victim, designed to simply think of your resume as open. This social engineering tactic provides a window for malware to work undetected.”
Image source: etenire
The per-BitDefender loader also serves as a downloader for the next stage of the backdoor DLL, establishing host persistence through scheduled tasks. The newly searched DLLs will then be run using Program Compatibility Assistant (PCALUA.EXE), a technology detailed by Trend Micro in March 2024.
The access provided by implants paves the way for lateral movement, allowing threat actors to navigate the network, gather intelligence, and escalate access. But in what appears to be a major pivot from established modalities, one such attack was first deployed in ransomware deployment.
“This focused targeting can be interpreted as an attempt to inflict maximum damage with minimal effort,” Zugek said. “By encrypting virtual machines hosted on the hypervisor, and preventing them from being started, RedCurl effectively disables the entire virtualized infrastructure and affects all hosted services.”
In addition to employing its own Vulnerable Driver (BYOVD) technique to disable Endpoint Security software, Ransomware executable takes steps to collect system information before invoking the encryption routine. Furthermore, the ransom notes dropped after encryption seem to be inspired by Lockbit, Hardbit and imitation groups.
“This practice of reusing the text of existing ransom memos raises questions about the origins and motivations of the RedCurl group,” Zugec said. “In particular, there are no known dedicated leak sites (DLS) related to this ransomware. It remains unknown whether the ransom notes represent a genuine terror attempt or a conversion.”
Source link
