The Russian-speaking hacking group referred to as RedCurl has been linked to a ransomware marketing campaign for the primary time, marking a departure within the risk actor’s tradecraft.
The exercise, noticed by Romanian cybersecurity firm Bitdefender, entails the deployment of a never-before-seen ransomware pressure dubbed QWCrypt.
RedCurl, additionally referred to as Earth Kapre and Pink Wolf, has a historical past of orchestrating company espionage assaults aimed toward numerous entities in Canada, Germany, Norway, Russia, Slovenia, Ukraine, the UK, and the USA. It is identified to be energetic since a minimum of November 2018.
Assault chains documented by Group-IB in 2020 entailed using spear-phishing emails bearing Human Sources (HR)-themed lures to activate the malware deployment course of. Earlier this January, Huntress detailed assaults mounted by the risk actor concentrating on a number of organizations in Canada to deploy a loader dubbed RedLoader with “easy backdoor capabilities.”
Then final month, Canadian cybersecurity firm eSentire revealed RedCurl’s use of spam PDF attachments masquerading as CVs and canopy letters in phishing messages to sideload the loader malware utilizing the authentic Adobe executable “ADNotificationManager.exe.”
The assault sequence detailed by Bitdefender traces the identical steps, utilizing mountable disk picture (ISO) information disguised as CVs to provoke a multi-stage an infection process. Current inside the disk picture is a file that mimics a Home windows screensaver (SCR) however, in actuality, is the ADNotificationManager.exe binary that is used to execute the loader (“netutils.dll”) utilizing DLL side-loading.
“After execution, the netutils.dll instantly launches a ShellExecuteA name with the open verb, directing the sufferer’s browser to https://safe.certainly.com/auth,” Martin Zugec, technical options director at Bitdefender, mentioned in a report shared with The Hacker Information.
“This shows a authentic Certainly login web page, a calculated distraction designed to mislead the sufferer into considering they’re merely opening a CV. This social engineering tactic offers a window for the malware to function undetected.”
 |
| Picture Supply: eSentire |
The loader, per Bitdefender, additionally acts as a downloader for a next-stage backdoor DLL, whereas additionally establishing persistence on the host by the use of a scheduled process. The newly retrieved DLL is then executed utilizing Program Compatibility Assistant (pcalua.exe), a way detailed by Pattern Micro in March 2024.
The entry afforded by the implant paves the best way for lateral motion, permitting the risk actor to navigate the community, collect intelligence, and additional escalate their entry. However in what seems to be a significant pivot from their established modus operandi, one such assault additionally led to the deployment of ransomware for the primary time.
“This centered concentrating on might be interpreted as an try to inflict most injury with minimal effort,” Zugec mentioned. “By encrypting the digital machines hosted on the hypervisors, making them unbootable, RedCurl successfully disables all the virtualized infrastructure, impacting all hosted companies.”
The ransomware executable, in addition to using the deliver your personal susceptible driver (BYOVD) approach to disable endpoint safety software program, takes steps to collect system data previous to launching the encryption routine. What’s extra, the ransom observe dropped following encryption seems to be impressed by LockBit, HardBit, and Mimic teams.
“This apply of repurposing present ransom observe textual content raises questions in regards to the origins and motivations of the RedCurl group,” Zugec mentioned. “Notably, there isn’t a identified devoted leak website (DLS) related to this ransomware, and it stays unclear whether or not the ransom observe represents a real extortion try or a diversion.”