RedCurl Cyberespionage in Canada
Summary:
In mid-2024, Huntress identified cyber espionage activity targeting several Canadian organizations, which was attributed to the APT group RedCurl (also known as Earth Kapre or Red Wolf). The activity dates back to November 2023 and is consistent with RedCurl's historical tactics of data theft rather than financial extortion. This group is known for its ability to remain undetected for extended periods, focusing on stealing sensitive information like emails and corporate documents from industries such as retail, finance, construction, and consulting. Huntress observed that RedCurl continuously adapts its techniques to evade detection.
The investigation began with the detection of a suspicious 7zip binary execution and persistence mechanisms using scheduled tasks that executed malicious binaries through an executable. This led to uncovering intrusions in three organizations, where RedCurl leveraged PowerShell to download, execute, and exfiltrate data to cloud storage locations. The group heavily utilized 7zip for file archiving and exfiltration, and they deployed a custom backdoor named "RedLoader," which employed various obfuscation techniques to avoid detection. These activities align closely with RedCurl's established tradecraft, though some techniques were updated or modified.
Security Officer Comments:
RedCurl’s tactics exemplify the use of Living-Off-The-Land (LOTL) techniques, where legitimate system tools are used to blend in with normal system operations. This strategy makes detection challenging and allows the group to execute malicious tasks, such as creating reverse proxies and exfiltrating data, without raising immediate suspicion. Detection efforts should focus on identifying anomalies, such as unusual use of pcalua[.]exe in scheduled tasks, Python scripts establishing network connections, or 7zip processes creating password-protected archives and deleting files.
Suggested Corrections:
IOCs:
https://www.huntress.com/blog/the-hunt-for-redcurl-2
To mitigate these threats, organizations should enable comprehensive logging for process execution and scheduled tasks, baseline legitimate activity to filter out false positives, and use detection rules to identify patterns consistent with RedCurl's tactics. Proactive monitoring and multi-layered defenses are essential to counter sophisticated actors like RedCurl, whose operations highlight the importance of detecting subtle indicators to prevent long-term infiltration and data theft.
Link(s):
https://www.huntress.com/blog/the-hunt-for-redcurl-2
In mid-2024, Huntress identified cyber espionage activity targeting several Canadian organizations, which was attributed to the APT group RedCurl (also known as Earth Kapre or Red Wolf). The activity dates back to November 2023 and is consistent with RedCurl's historical tactics of data theft rather than financial extortion. This group is known for its ability to remain undetected for extended periods, focusing on stealing sensitive information like emails and corporate documents from industries such as retail, finance, construction, and consulting. Huntress observed that RedCurl continuously adapts its techniques to evade detection.
The investigation began with the detection of a suspicious 7zip binary execution and persistence mechanisms using scheduled tasks that executed malicious binaries through an executable. This led to uncovering intrusions in three organizations, where RedCurl leveraged PowerShell to download, execute, and exfiltrate data to cloud storage locations. The group heavily utilized 7zip for file archiving and exfiltration, and they deployed a custom backdoor named "RedLoader," which employed various obfuscation techniques to avoid detection. These activities align closely with RedCurl's established tradecraft, though some techniques were updated or modified.
Security Officer Comments:
RedCurl’s tactics exemplify the use of Living-Off-The-Land (LOTL) techniques, where legitimate system tools are used to blend in with normal system operations. This strategy makes detection challenging and allows the group to execute malicious tasks, such as creating reverse proxies and exfiltrating data, without raising immediate suspicion. Detection efforts should focus on identifying anomalies, such as unusual use of pcalua[.]exe in scheduled tasks, Python scripts establishing network connections, or 7zip processes creating password-protected archives and deleting files.
Suggested Corrections:
IOCs:
https://www.huntress.com/blog/the-hunt-for-redcurl-2
To mitigate these threats, organizations should enable comprehensive logging for process execution and scheduled tasks, baseline legitimate activity to filter out false positives, and use detection rules to identify patterns consistent with RedCurl's tactics. Proactive monitoring and multi-layered defenses are essential to counter sophisticated actors like RedCurl, whose operations highlight the importance of detecting subtle indicators to prevent long-term infiltration and data theft.
Link(s):
https://www.huntress.com/blog/the-hunt-for-redcurl-2