Hunt for RedCurl
Jan. 10, 2025, 8:42 a.m.
Tags
External References
Description
Huntress uncovered RedCurl activity across several Canadian organizations in late 2024, tracing back to November 2023. RedCurl, known for cyberespionage, targets various industries to access confidential data without encrypting systems or demanding ransom. The group employs unique tactics, including the use of pcalua.exe for indirect command execution, scheduled tasks mimicking legitimate Windows processes, and Python scripts for reverse proxy tunnels. They utilize 7zip for file extraction and archiving, and leverage cloud storage for exfiltration. RedCurl's loader malware, RedLoader, employs obfuscation techniques like dynamic DLL resolution and string encryption. The attackers' infrastructure included domains resolving to multiple IP addresses, showing connections to previously observed RedCurl activity.
Date
Published: Jan. 10, 2025, 4:34 a.m.
Created: Jan. 10, 2025, 4:34 a.m.
Modified: Jan. 10, 2025, 8:42 a.m.
Indicators
ff3706e94d9b769f78e4271928382426cb034b11c5a0f6a8ffea35726cc03692
c75048a4933c3061f6cd02c8ca96ed524166fce4cc4b9e0c7ea6ac8295dc3c47
9d667de8a99e757176cea1aa0af0d81972005d4abf3b7aff942d8c30fb151e35
9bdf91507fb4f3772a6d66a78f0f1f44075eefba4af65094c374f9d72e25bade
904669bd897dbb99561ef080d9818ff4bc9c106aa476d25b992439cdea4d1b0b
8117e40ee7f824f63373a4f5625bb62749f69159d0c449b3ce2f35aad3b83549
6d85ad9e14a23ed6bf700f636273b30f53c54267d0f624c8ff7bc0008f7db4f7
5a8314cbdccc7362a100b9db92b05597dad37c13b4cbb7b0fd1ef58d625dd454
574a55706697d7e0109cf920ae6e0047cd7a802c9ad457e3b68e7802f3f902ef
4af2c0c6087f9410cf57af4cf7eb09b5a3038bb78f4e50625402e32ad9662e66
1935692d1c4492f99c969d11d81481aea736f3899b1f55af9c8f6cf6ca9b839c
01d94de4d104f6df121f97bae9cbbfada5a9cd4c3af0e1c403271d8284815cad
bora.teracloud.jp
alphastoned.pro
Attack Patterns
RedLoader
RedCurl
T1059.006
T1036.004
T1053.005
T1202
T1059.003
T1059.001
T1071.001
T1070.004
T1082
T1105
T1090
T1059
Additional Informations
Tourism
Consulting
Construction
Retail
Insurance
Finance
Canada