RedCurl APT Group Launched Massive Corporate Espionage Campaign

An advanced persistent threat group—apparently filled with Russian speakers—has gone beyond the modus operandi of simple cybercrime to now specialize in corporate espionage.

RedCurl, the concealed adversary

Cybersecurity firm Group-IB discovered the group named RedCurl that has been conducting carefully planned attacks against victims across various geographies to steal confidential corporate documents.
  • Active since 2018, RedCurl has launched 26 different campaigns against 14 private sector organizations in the construction, consulting, mining, ironworks, financial, retail, tourism, legal, and insurance sectors in North America, Europe, and CIS countries.
  • Instead of using complex tools or hacking techniques for their attacks, the group has heavily relied on spear-phishing and social engineering tactics.
  • By using legitimate services to communicate with its command and control (C2) servers, it has been largely successful in flying under the radar so far.

Going the cloud way

The group has been using their payloads via links to archives stored on multiple public cloud storage services.
  • Redcurl used Dropbox and a vast number of other free storage services like CloudMe, Framagenda, Syncwerk, and others.
  • The threat actor also uses the MultCloud platform to manage and access the storage space from these cloud services and the LaZagne open-source tool to steal credentials.
  • Since the beginning of 2020, the group has been using boobytrapped LNK (shortcut) and XLAM (Excel Macro-Enabled add-on) files to deploy its dropper.

Little flashback

In 2019, RedCurl had heavily relied on a custom trojan to first steal victims' important documents and then install the XMRIG miner for mining Monero cryptocurrency on the targeted infrastructure.

The bottom line

Redcurl's activities and skills are specialized in corporate espionage activities. It has been conducting planned espionage attacks against several victims across a geographical spread. The group has significantly extended its network as it strives to remain unnoticed for as long as possible and does not use any active trojans that could disclose its presence.