Ethical Hacking News
The Russian-speaking hacking group RedCurl has taken a significant turn in its tradecraft by employing ransomware for the first time, marking a departure from its established focus on corporate espionage. As researchers study this new development, they may uncover additional details about the group's motivations and origins, highlighting the evolving nature of cyber threats and the importance of ongoing research into emerging threat actors.
RedCurl, a Russian-speaking hacking group, has taken on a new tradecraft by deploying ransomware for the first time. The group has been linked to a ransomware campaign using QWCrypt, a never-before-seen strain. RedCurl's focus has shifted from corporate espionage attacks to spear-phishing emails and ransomware deployment. The ransom note is inspired by LockBit, HardBit, and Mimic groups, raising questions about the group's affiliations and intentions. The lack of a dedicated leak site (DLS) associated with RedCurl creates uncertainty regarding their operations and true motives.
RedCurl, a Russian-speaking hacking group known for its corporate espionage attacks, has taken an unexpected turn in its tradecraft. According to recent reports, the group has been linked to a ransomware campaign for the first time, marking a significant departure from its established modus operandi.
The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt. This development is particularly noteworthy, as RedCurl has been active since at least November 2018, primarily focusing on corporate espionage attacks aimed at various entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States.
In recent months, RedCurl has been employed in a series of attacks targeting organizations in Canada. In one notable instance, Canadian cybersecurity company eSentire revealed that the group used spam PDF attachments masquerading as CVs and cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable "ADNotificationManager.exe." A similar attack sequence was documented by Bitdefender, which also employed mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection procedure.
Present within the disk image was a file that mimicked a Windows screensaver (SCR) but, in reality, was the ADNotificationManager.exe binary used to execute the loader ("netutils.dll") using DLL side-loading. Following execution, the netutils.dll immediately launched a ShellExecuteA call with the open verb, directing the victim's browser to https://secure.indeed.com/auth. This displayed a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV.
The loader, per Bitdefender, also acted as a downloader for a next-stage backdoor DLL, while establishing persistence on the host by means of a scheduled task. The newly retrieved DLL was then executed using Program Compatibility Assistant (pcalua.exe), a technique detailed by Trend Micro in March 2024.
This access afforded by the implant paved the way for lateral movement, allowing the threat actor to navigate the network, gather intelligence, and further escalate their access. However, in what appears to be a major pivot from their established modus operandi, one such attack also led to the deployment of ransomware for the first time.
The introduction of QWCrypt marks an intriguing shift in RedCurl's tradecraft, as it diverges from the group's traditional focus on corporate espionage. The use of spear-phishing emails bearing Human Resources (HR)-themed lures and the deployment of a never-before-seen ransomware strain underscore this significant change.
As researchers continue to study the QWCrypt ransomware, they may uncover additional details about RedCurl's motivations and origins. Notably, the ransom note appears to be inspired by LockBit, HardBit, and Mimic groups, raising questions about the group's affiliations and intentions.
Furthermore, the absence of a dedicated leak site (DLS) associated with RedCurl has created uncertainty regarding the true nature of their operations. Is this ransomware campaign a genuine extortion attempt, or is it merely a diversion tactic? The lack of clarity surrounding these matters highlights the evolving nature of cyber threats and the importance of ongoing research into emerging threat actors.
In conclusion, the emergence of QWCrypt marks an intriguing shift in RedCurl's tradecraft. As researchers delve deeper into this new ransomware strain, they may uncover additional insights into the group's motivations, origins, and intentions. This development underscores the need for continued vigilance and cooperation between cybersecurity experts to stay ahead of emerging threats.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Evolution-of-RedCurl-A-Shift-from-Espionage-to-Ransomware-ehn.shtml
Published: Wed Mar 26 11:24:09 2025 by llama3.2 3B Q4_K_M
