Security researchers have uncovered a replacement Russian-speaking hacking group that they claim has been that specialize in the past three years on corporate espionage, targeting companies across the planet to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group are detailed during a 57-page report released today by cyber-security firm Group-IB.
The company has been tracking the group since the summer of 2019 when it had been first called to research a security breach at a corporation hacked by the group.
Since then, Group-IB said it identified 26 other RedCurl attacks, administered against 14 organizations, going as far back as 2018.
Victims varied across countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and therefore the UK.
Spear-phishing and PowerShell
But despite the prolonged three-year hacking spree, the group didn't use complex tools or hacking techniques for his or her attacks. Instead, the group heavily relied on spear-phishing for initial access.
"RedCurl's quality, in any case, is that the email content is deliberately drafted," specialists said today.
"For instance, the messages demonstrated the concentrated on association's area and logo, while the sender address featured the association's name.
"The aggressors acted like people from the HR bunch at the concentrated on affiliation and passed on messages to different agents really, which made the workers less careful, especially contemplating that a lot of them worked within the same department," they added.
The emails included links to malware-laced files that victims had to download. Once victims ran the content of the boobytrapped archives, they got infected with a set of PowerShell-based trojans.
Group-IB said the trojans were unique to the group and allowed RedCurl operators access to basic operations, like searching systems, downloading other malware, or uploading stolen files to remote servers.
RedCurl hid in hacked networks between two and 6 months
Where possible, the group also attempted to maneuver laterally through infected networks by accessing network shared drives and replacing original files with boobytrapped LNK (shortcut) files that might infect other employees if they executed the files.
Group-IB researchers say that this phase usually lasted between two and 6 months.
The period of spreading over the framework is basically loosened up in time considering the way that the social affair attempts to stay unnoticed for to the degree that this would be possible and doesn't utilize any dynamic Trojans
One particular thing that stood out about RedCurl was the utilization of the WebDAV protocol as a knowledge exfiltration channel, almost like other hacking groups like CloudAtlas and October. However, Group-IB said it didn't find the other major overlaps between the three, and believes they're separate operations supported the present evidence.
Source:ZDNet button
Post a Comment