Summary: The threat actor group RedCurl has evolved from corporate espionage to deploying a ransomware encryptor, QWCrypt, targeting Hyper-V virtual machines. Their tactics now include sophisticated phishing schemes and stealthy methods for lateral movement within networks. This strategic shift raises questions about their motives and operational goals, as they blend espionage with ransomware attacks.
Affected: Corporate entities worldwide, especially those using Hyper-V virtual machines
Keypoints :
- RedCurl, known for espionage since 2018, has begun using ransomware to target Hyper-V environments.
- Attacks initiate via phishing emails with dangerous IMG file attachments, leading to DLL sideloading and subsequent payload deployment.
- QWCrypt enables selective and customized encryption of virtual machines, utilizing advanced features such as the XChaCha20-Poly1305 algorithm and arguments like –excludeVM to avoid critical VMs.
- The group’s shift to ransomware raises questions about their operational objectives, blending traditional data theft with potential financial gain.