Source: Huntress Blog Author: unknown URL: https://www.huntress.com/blog/the-hunt-for-redcurl-2
-
ONE SENTENCE SUMMARY: Huntress identified RedCurl’s cyberespionage tactics in multiple Canadian organizations, emphasizing their use of unique methods for data exfiltration.
-
MAIN POINTS:
-
RedCurl targets various sectors for cyberespionage, including finance, tourism, and consulting.
-
The group avoids encryption and ransom demands, focusing on stealthy data collection instead.
-
Huntress observed activity associated with RedCurl’s tactics back to November 2023.
-
pcalua.exe was used by attackers to execute malicious scripts and tasks.
-
Scheduled tasks were created that mimicked legitimate programs to conceal malicious activity.
-
7zip is heavily utilized for archiving and exfiltrating sensitive data in password-protected formats.
-
Python scripts facilitated connections to proxy servers for communication with command and control.
-
RedCurl adapts their techniques, making detection more challenging for security teams.
-
LOTL tactics became prominent in attacks against small to mid-sized businesses in 2023.
-
Monitoring anomalous behavior in scheduled tasks is crucial for detecting RedCurl’s operations.
-
TAKEAWAYS:
-
RedCurl employs unique techniques, making detection efforts difficult for cybersecurity teams.
-
Using legitimate operating system tools can obscure malicious activities from monitoring systems.
-
Regularly baseline and monitor environments for scheduled task anomalies.
-
Awareness of LOTL techniques is essential for preventing covert cyber-espionage attacks.
-
Collaboration with threat intelligence sources can enhance understanding of evolving adversary tactics.