Source: Huntress Blog Author: unknown URL: https://www.huntress.com/blog/the-hunt-for-redcurl-2

ONE SENTENCE SUMMARY:

Huntress identified RedCurl’s cyberespionage tactics in multiple Canadian organizations, emphasizing their use of unique methods for data exfiltration.

MAIN POINTS:

1. RedCurl targets various sectors for cyberespionage, including finance, tourism, and consulting.
2. The group avoids encryption and ransom demands, focusing on stealthy data collection instead.
3. Huntress observed activity associated with RedCurl’s tactics back to November 2023.
4. pcalua.exe was used by attackers to execute malicious scripts and tasks.
5. Scheduled tasks were created that mimicked legitimate programs to conceal malicious activity.
6. 7zip is heavily utilized for archiving and exfiltrating sensitive data in password-protected formats.
7. Python scripts facilitated connections to proxy servers for communication with command and control.
8. RedCurl adapts their techniques, making detection more challenging for security teams.
9. LOTL tactics became prominent in attacks against small to mid-sized businesses in 2023.
10. Monitoring anomalous behavior in scheduled tasks is crucial for detecting RedCurl’s operations.

TAKEAWAYS:

1. RedCurl employs unique techniques, making detection efforts difficult for cybersecurity teams.
2. Using legitimate operating system tools can obscure malicious activities from monitoring systems.
3. Regularly baseline and monitor environments for scheduled task anomalies.
4. Awareness of LOTL techniques is essential for preventing covert cyber-espionage attacks.
5. Collaboration with threat intelligence sources can enhance understanding of evolving adversary tactics.