Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has released an analytical report on the previously unknown APT group RedCurl, which focuses on corporate espionage. In less than three years, RedCurl attacked dozens of targets all over the world — from Russia to Canada. A presumably Russian-speaking group conducts thoroughly planned attacks on private companies across numerous industries using a unique toolset. The attackers seek to steal documents that contain commercial secrets and employee personal data. According to Group-IB experts, corporate espionage has so far been a rare phenomenon on the hacker scene, but the frequency of such attacks these days suggests that it is likely to become more widespread in the future.
Group-IB’s new research contains the first ever description of RedCurl’s tactics, tools, and infrastructure. The report “RedCurl. The pentest you didn’t know about” includes details about the group’s kill chain discovered by Group-IB’s DFIR specialists, as well as unique data that Group-IB collected during incident response engagements related to campaigns attributed to RedCurl.
From Russia to Canada
The APT group RedCurl, discovered by Group-IB Threat Intelligence experts, has been active since at least 2018. Since then, it has conducted 26 targeted attacks on commercial organizations alone, including companies in the fields of construction, finance, consulting, retail, banking, insurance, law, and travel. RedCurl does not have a clear geographical link to any region; its victims are located in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway.
As part of its activities, the group acted as covertly as possible to minimize the risk of being discovered on the victim’s network. In all campaigns, RedCurl’s main goal was to steal confidential corporate documents such as contracts, financial documents, employee personal records, and records of legal actions and facility construction. This could indicate that RedCurl’s attacks might have been commissioned for the purpose of corporate espionage.
It is noteworthy that one of the group’s possible victims was an employee at a cybersecurity company that protects its customers against such very attacks. In total, Group-IB has identified 14 organizations that fell victim to RedCurl’s espionage, some on several occasions. Group-IB specialists contacted each of them. Currently, some of the companies affected continue to respond to the incidents.
Who are you, Mr. Pentester?
The earliest known RedCurl attack dates back to May 2018. As with all subsequent campaigns, the initial compromise vector was a well-written phishing email. The group performed in-depth intelligence of the victim’s infrastructure: each email targeted a specific team rather than the organization as a whole. Most often, the attackers posed as HR staff at the targeted organization and sent emails to multiple employees in the same department, which made the victims less vigilant. For example, the employees would receive the same email about annual bonuses. The spear-phishing email content was always carefully drafted. For instance, the emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name. Group-IB Threat Intelligence experts highlight that RedCurl’s approach resembles social engineering attacks that red teaming specialists usually conduct to test an organization’s ability to combat advanced cyberattacks using techniques and tools from hacker groups’ arsenals.
Tricky cloud
To deliver the payload, RedCurl used archives, links to which were placed in the email body and led to legitimate cloud storage services. The links were disguised so that the victim would not suspect that opening the attached document about bonuses from the supposedly official website would deploy a Trojan, controlled by the attacker through the cloud, on the local network. The Trojan-downloader RedCurl.Dropper served as the attackers’ pass to the targeted system that installed and launched other malware modules. Like the group’s other custom tools, the dropper was written in PowerShell.
RedCurl’s main goal is to steal documentation from the victim’s infrastructure and business emails. After gaining access to the target network, the cybercriminals scan the list of folders and office documents accessible from the infected computer. Information about them is sent to the cloud, after which a RedCurl operator decides which folders and files should be uploaded. At the same time, all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx found on network drives are replaced with modified LNK shortcuts. When such a file is opened by a user, RedCurl.Dropper is launched. This helps RedCurl infect new machines within the victim organization and propagate across the system.
The attackers also seek to steal email credentials. To do so, RedCurl uses the LaZagne tool, which extracts passwords from memory and from files saved in the victim’s web browser. If RedCurl fails to obtain the data required, it uses a Windows PowerShell script that displays a phishing pop-up Microsoft Outlook window to the victim. After gaining access to the victim’s email, RedCurl uses another PowerShell script to analyze and upload all documents of interest to cloud storages.
Covering traces
As part of incident response engagements related to RedCurl’s attacks, Group-IB’s DFIR specialists discovered that, after gaining initial access to the victim’s network, the group remains there for two to six months. The RedCurl.Dropper Trojan, like the group’s other tools, does not connect directly to the attackers’ C&C server. Instead, all communication between the victim’s infrastructure and the attackers is ensured through legitimate cloud storages such as Cloudme, koofr.net, pcloud.com, and etc. All commands are passed as PowerShell scripts. This allows RedCurl to remain undetected by traditional security solutions for a long time.

Rustam Mirkasymov
Head of Malware Dynamic Analysis Team at Group-IB