Hunt for RedCurl

Description

Huntress uncovered RedCurl activity across several Canadian organizations in late 2024, tracing back to November 2023. RedCurl, known for cyberespionage, targets various industries to access confidential data without encrypting systems or demanding ransom. The group employs unique tactics, including the use of pcalua.exe for indirect command execution, scheduled tasks mimicking legitimate Windows processes, and Python scripts for reverse proxy tunnels. They utilize 7zip for file extraction and archiving, and leverage cloud storage for exfiltration. RedCurl's loader malware, RedLoader, employs obfuscation techniques like dynamic DLL resolution and string encryption. The attackers' infrastructure included domains resolving to multiple IP addresses, showing connections to previously observed RedCurl activity.