Rewterz Threat Alert – RedCurl APT Group Exploits Legitimate Windows PCA Tool for Corporate Espionage – Active IOCs

Severity

High

Analysis Summary

The cybersecurity landscape constantly evolves with threat actors like the Russian-speaking cybercrime group RedCurl employing sophisticated tactics to carry out corporate espionage. RedCurl has been active since 2018 and targets entities across various countries including Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.

RedCurl’s recent activities have involved leveraging a legitimate Windows component, the Program Compatibility Assistant (PCA), to execute malicious commands and evade security measures. The attack chain typically starts with phishing emails containing malicious attachments like .ISO and .IMG files. These attachments initiate a multi-stage process involving cmd.exe to download the legitimate utility curl from a remote server.

Subsequently, a malicious DLL file such as ms.dll or ps.dll is used to exploit PCA and establish connections to fetch additional malicious payloads from the attacker’s infrastructure. The use of open-source software like Impacket further facilitates unauthorized command execution adding to the complexity of the attack.

One notable incident involved RedCurl targeting a major Russian bank and an Australian company in November 2022 and May 2023 respectively to steal confidential corporate secrets and employee information. The connections to Earth Kapre aka RedCurl are identified through overlaps in command-and-control (C2) infrastructure and similarities with known downloader artifacts. This underscores the persistent threat posed by RedCurl, showing their dedication to using advanced techniques like abusing PowerShell, curl, and PCA to maintain stealth and avoid detection within compromised networks.

While RedCurl’s activities demonstrate a significant cybersecurity threat, they are not alone in their sophistication. Other threat actors like the Russian nation-state group Turla have also been active, using new techniques such as deploying the Pelmeni wrapper DLL to launch the Kazuar backdoor. This underscores the need for organizations worldwide to remain vigilant, enhance their cybersecurity posture, and collaborate with cybersecurity experts to detect and mitigate such advanced threats effectively.

Impact

• Sensitive Data Theft
• Cyber Espionage

Indicators of Compromise

MD5

• b0084e505663a05425eaaae058ebc48c
• ff8772484a6798ce270a3b4eed3dedae
• 57f087cc375f04f27a99e31d9006b12f
• 78f69d4ff80b57747ca0a1e5a4305514

SHA-256

• e31a9c0e86474255a2a13bb93c2c02d91ada5caee35bae9b2d142d8cad9e4c37
• 04f58fce886d80501fca5f9ea1f05a524a5604000ef828331eba9ca15a904232
• 34d81142467b937ef190175cb399579c96dbe2fcf40ad4418ced8c804fa8d985
• 5c09f38829d659f47239513f1825c41a419f04630ffb455862b6274a7adbfeae

SHA-1

• 2003d2de9c155799fea82663245add57d59813aa
• 732aa4679a372696b67c0666cd8c0279049d7a92
• 8e5bacc6773843bac2f52c63bd0f6e4a868eb4da
• f3cfbf02099830ce9492d231b4a00dbcb46facd4

URL

• http://preston.melaniebest.com/ms/ms.tmp
• http://preston.melaniebest.com/ms/msa.tmp
• http://preston.melaniebest.com/ms/curl.tmp
• http://preston.melaniebest.com/ms/7za.tmp
• https://preslive.cn.alphastoned.pro/ms/msa.tmp
• https://preslive.cn.alphastoned.pro/ms/curl.tmp
• https://preslive.cn.alphastoned.pro/ms/7
• http://unipreg.tumsun.com:80/ms/psa.tmp
• http://unipreg.tumsun.com:80/ms/7za.tmp
• https://preslive.cn.alphastoned.pro:443/ms/curl.tmp

Remediation

• Block all threat indicators at your respective controls.
• Search for Indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Never trust or open links and attachments received from unknown sources/senders.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.