Cybercrime as-a-service , Fraud Management & Cybercrime , Fraud Risk Management

RedCurl Cyber Espionage Gang Targets Corporate Secrets

For-Hire Hackers Tied to Attacks in Canada, U.K., Russia and Beyond
RedCurl Cyber Espionage Gang Targets Corporate Secrets
Source: Group-IB

How many different types of culprits might hack an organization?

See Also: Malware Analysis Spotlight: Why Your EDR Let Pikabot Jump Through

The list is long, but it includes criminal syndicates, nation-state intelligence agencies, hacktivists and bored teenagers. Needless to say, those categories sometimes overlap.

But another class of attacker targeting at least some organizations is unscrupulous organizations that hire freelance hackers - aka mercenaries - to target the competition. There are no reliable estimates of how many organizations might attempt to steal and leak embarrassing information on competitors or to obtain intellectual property and other corporate secrets. But such attacks remain a threat.

Indeed, cybersecurity firm Group-IB says it's been tracking a for-hire advanced persistent threat group that it calls RedCurl, which since 2018 has stolen information from at least 14 organizations across Canada, Germany, Norway, Ukraine, Russia and the U.K.

The security firm has released a report including technical details that can be used to spot signs of attack by RedCurl. It says the for-hire group - apparently filled with Russian speakers - "goes beyond the modus operandi of simple cybercrime" by specializing in corporate espionage. It has hit construction companies, law firms, retailers and financial services organizations, many of which have been compromised via phishing attacks.

Sample of a RedCurl phishing message in Russian, with English translation (Source: Group-IB)

"It is obvious that the group doesn’t use its access to compromised networks for immediate material benefit and specializes in long-term and devious campaigns," Group-IB tells Information Security Media Group. It's alerted all of the victims that it's been able to identify and says some of them are continuing to remediate the RedCurl attacks.

The Cost of Corporate Espionage

The consequences of corporate espionage can be devastating. For example, Canadian telecommunications giant Nortel went out of business in 2009 after discovering in 2004 that hackers had been inside its network for at least a decade. Some reports pointed to a campaign sponsored by the Chinese government, which allegedly obtained the latest designs for Nortel's telecommunications gear, the loss of which may have hampered Nortel's ability to compete and hastened its demise.

“As an element of unfair competition, corporate espionage is a relatively rare phenomenon in the APT world,” says Rustam Mirkasymov, who heads Group-IB's malware dynamic analysis team. "Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect."

Group-IB says that RedCurl's attack methodology is similar to that of Red October and Cloud Atlas - two groups that researchers have previously said may be connected.

Researchers have also noted that those two groups also appeared to be Russian-speaking cyber espionage gangs. They often used a range of tools, including off-the-shelf Chinese malware, and targeted victims across numerous countries, including Russia, Romania, Ukraine, Afghanistan, Turkey and Portugal (see: Cloud Atlas Uses Polymorphic Techniques to Avoid Detection).

Despite similarities in methodologies, Group-IB says it can't prove that RedCurl is connected with either of those other groups.

The security firm also says there are no signs that RedCurl is being operated or sponsored by a nation-state. "RedCurl’s choice of victims gives no grounds to consider it a state-sponsored group," Group-IB tells ISMG. "The groups that are funded by some nations normally attack state bodies or critical infrastructure entities, which was not the case with RedCurl. RedCurl instead attacks commercial companies only, without a clear geographical link to any region."

RedCurl's Tactics

Stealth appears to be one of RedCurl's specialties, according to Group-IB, which says that the group appears to camp out in a targeted network for two to six months.

Here's how the attacks that it has traced back to the for-hire corporate espionage operation typically progress:

  • Launch phishing attacks: The attackers appear to target specific groups, such as the HR department, within an organization. Group-IB says attackers' phishing messages appear to be unusually well-crafted and often get sent from an attacker-registered domain that resembles the target's own domain name.
  • Use legitimate cloud services: To help disguise its tracks, the group uses tools written in PowerShell to download malicious resources from legitimate cloud services, such as Dropbox.
  • Exfiltrate selected data: "RedCurl’s main goal is to steal documentation from the victim's infrastructure and business emails," and once the group gains remote access to a system, it will forward a list of all files and folders on the system to a remote operator, who can decide what to exfiltrate, Group-IB says.
  • Spread malware internally: For all networked drives that attackers can access, "all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx … are replaced with modified LNK shortcuts," and if opened, launch a malware dropper, helping to spread the malware internally.
  • Steal email credentials: Attackers use LaZagne, a tool designed to extract passwords both from memory as well as browsers, to steal email access credentials and access victims' email. "If RedCurl fails to obtain the data required, it uses a Windows PowerShell script that displays a phishing pop-up Microsoft Outlook window to the victim," Group-IB says. "After gaining access to the victim's email, RedCurl uses another PowerShell script to analyze and upload all documents of interest to cloud storage."
  • Disguise communications: Rather than have endpoints they've infected connect directly to command-and-control servers, attackers instead route communications via legitimate cloud-storage services - "such as,,,,,,,,,, and" - using PowerShell scripts, Group-IB says.

Group-IB says RedCurl's latest attack, which occurred on July 14, targeted a Russian organization.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.