Focus Mode
Threat Research

Hunt for RedCurl | Huntress

Securonix
Hunt for RedCurl | Huntress
Huntress discovered ongoing cyberespionage activities linked to the APT group RedCurl, targeting various organizations in Canada since late 2023. The group employs unique tactics involving scheduled tasks and PowerShell scripts to exfiltrate data without detection. Their methods include using legitimate Windows binaries for malicious purposes, making detection challenging. Affected: Canada, various organizations

Keypoints :

  • RedCurl is associated with cyberespionage and has been active since November 2023.
  • The group targets sectors like finance, tourism, and consulting.
  • They utilize unique techniques that differ from common malware behaviors.
  • Scheduled tasks and PowerShell scripts are prominently used for executing malicious actions.
  • RedCurl employs 7zip for archiving and exfiltrating data.
  • They leverage living-off-the-land techniques, making detection difficult.
  • Evidence of data collection and exfiltration to cloud storage has been found.

MITRE Techniques :

  • Execution (T1059): Powershell used to download and execute payload, collect and archive files, and exfiltrate data.
  • Execution (T1059.001): Executed PowerShell scripts and commands.
  • Execution (T1059.003): Used headless conhost.exe to launch Python; executed batch files to spawn PowerShell and Python.
  • Execution (T1059.006): Used Python to create reverse proxy tunnels.
  • Persistence (T1053.005): Created scheduled tasks to execute malicious files and RPivot reverse proxy with Python.
  • Defense Evasion (T1202): Used pcalua.exe to execute malicious commands.
  • Defense Evasion (T1036.004): Masqueraded as legitimate Windows services/tasks.
  • Defense Evasion (T1070.004): Removed zip files downloaded with PowerShell and files after archiving them using 7zip.
  • Discovery (T1082): Used WMIC to list running processes.
  • C&C (T1071.001): Used PowerShell to create HTTP requests for C2 communication.
  • C&C (T1090): Used RPivot Proxy tool.
  • C&C (T1105): Downloaded files from cloud storage, including 7zip.

Indicator of Compromise :

  • [file name] mbda76918700ee0725.exe
  • [file hash] 574a55706697d7e0109cf920ae6e0047cd7a802c9ad457e3b68e7802f3f902ef
  • [domain] bora.teracloud[.]jp
  • [ip address] 193.176.158[.]30
  • [ip address] 188.130.207[.]253
  • Check the article for all found IoCs.

Full Research: https://www.huntress.com/blog/the-hunt-for-redcurl-2

Tags: GOVERNMENT, HUNTING, COLLECTION, PAYLOAD, CLOUD, TOOL, EXFILTRATION, DISCOVERY