The RedCurl Hacking Group
A new hacking group that has been operating from the last three years has been discovered by security researchers. According to the findings, the hacking group has been focused on corporate espionage and has been targeting worldwide corporations to steal documents that contain business secrets and personal information from employees.
The cyber security firm Group-IB has come up with a detailed report of the activities of this new group, which has been code-named RedCurl. Researchers from the security firm have been keeping an eye to the hacking group since the summer of 2019 when they were called to investigate a case of security breach of a hacked company. The malicious actors have been thought to be working from Russia.
Group-IB has recorded 26 other cases of attacks performed by the RedCurl group, aimed at 14 organizations from different industry sectors and countries. As per the report, the companies that have been affected include building companies, travel agencies, retailers, insurance companies, banks, consulting firms and more. The victims come from countries like Russia, Ukraine, Canada, Germany, Norway and the UK, the researchers explain.
A more detailed analysis of the RedCurl hacking group attacks has revealed that the hackers did not use sophisticated malicious software or complex hacking methods to target their victims. Instead, the group relied mainly on spear-phishing in order to gain initial access to the network.
Nonetheless, the distinguishing feature of the RedCurl hacking group is in the meticulous planning of the malicious email message. Researchers from Group-IB explain that the drafts of the phishing emails that were used displayed the address and the logo of the targeted company, while the sender’s address was the domain name of this company.
In their report, the security researchers have revealed also that the malicious actors acted as members of the HR Team of the targeted organizations. Malicious emails were sent to many staff members simultaneously, making them less alert, in particular because most of the employees served in the same department.
The phishing emails contained links to maliciously laid files that the victims had to download. As soon as that happened, they got infected with a series of PowerShell-based Trojans.
Group-IB researchers explain that the Trojans that were used for the attacks allowed the RedCurl operators to access basic functions that enabled them to search systems, download other malware, or steal specific files and upload them to remote servers.
Where possible, the hacking group also tried to seamlessly spread over the infected networks by accessing sharing network drives and replacing the original files with LNK boobytrapped files that would infect other workers who executed them.
The RedCurl hacking group strived to keep its activities uncovered for as long as possible in order to extent the stage of malware spreading over the compromised networks in time. Thanks to their stealthy methods of operation, the attackers were able to hide in the hacked networks for up to six months.