Full Report
The Russian-speaking hacking group called RedCurl has been linked to a ransomware campaign for the first time, marking a departure in the threat actor's tradecraft. The activity, observed by Romanian cybersecurity company Bitdefender, involves the deployment of a never-before-seen ransomware strain dubbed QWCrypt. RedCurl, also called Earth Kapre and Red Wolf, has a history of orchestrating
Analysis Summary
# Threat Actor: RedCurl
## Attribution & Identity
**Name:** RedCurl
**Aliases:** Earth Kapre, Red Wolf
**Attribution:** Russian-speaking hacking group.
**Known Associations:** Historically known for corporate espionage activities.
## Activity Summary
RedCurl has historically focused on corporate espionage, but their recent observed activity shows a significant pivot towards ransomware deployment, marking a shift in modus operandi. This new activity involves the first-ever deployment of the QWCrypt ransomware strain. Past campaigns included leveraging spear-phishing emails with HR-themed lures or using spam PDF attachments disguised as CVs and Cover Letters to deploy loaders. In January of the current year, they targeted organizations in Canada to deploy the RedLoader malware.
## Tactics, Techniques & Procedures
- Spear-phishing emails with HR/CV lures used to initiate infection.
- Use of mountable disk image (ISO) files disguised as CVs.
- **DLL Sideloading:** Abuse of the legitimate Windows executable `ADNotificationManager.exe` to load a malicious DLL (`netutils.dll`).
- **Social Engineering Distraction:** After execution, the initial DLL directs the victim's browser to a legitimate `https://secure.indeed.com/auth` login page to provide a distraction while malware operates.
- Loader acts as a downloader for a next-stage backdoor DLL.
- **Persistence Mechanism:** Establishing persistence via a scheduled task.
- **Abuse of Legitimate Windows Functionality:** Execution of the next-stage DLL using the Program Compatibility Assistant (`pcalua.exe`).
- Lateral movement and intelligence gathering enabled by the backdoor.
- **New TTP:** Deployment of the QWCrypt ransomware strain.
## Targeting
**Sectors:** Various entities linked to corporate espionage history (though the ransomware pivot implies a broader potential target base).
**Geography:** Canada, Germany, Norway, Russia, Slovenia, Ukraine, United Kingdom, and the United States.
**Victims:** Several organizations in Canada were specifically targeted earlier this year with RedLoader deployment.
## Tools & Infrastructure
- **Malware Families Used:**
- QWCrypt (New ransomware strain deployed)
- RedLoader (Loader malware with backdoor capabilities)
- Next-stage backdoor DLL
- **Infrastructure (C2, domains, IPs):**
- Referenced external URL used for social engineering distraction: `https://secure.indeed.com/auth` (Defanged)
## Implications
RedCurl's shift from pure espionage to deploying ransomware (QWCrypt) suggests a monetization motive is supplanting or supplementing their traditional goals. This pivot increases the potential financial impact on targeted organizations and may indicate increased operational maturity or partnerships within the cybercrime ecosystem. Their established history of accessing corporate networks through sophisticated delivery methods makes them a high-risk threat actor, even in their new ransomware guise.
## Mitigations
- Implement rigorous controls over the execution of files originating from downloaded archives or ISOs, especially those mimicking common file types like screensavers (.SCR).
- Monitor for the execution chain involving `ADNotificationManager.exe` and DLL side-loading attacks (specifically looking for unexpected payload execution from this binary).
- Scrutinize scheduled task creation for persistence mechanisms.
- Harden detection capabilities against the use of legitimate utilities like `pcalua.exe` for executing unauthorized code.
- Maintain up-to-date endpoint detection and response (EDR) solutions capable of identifying QWCrypt characteristics.