A company cyber-espionage hacker group has resurfaced after a seven-month hiatus with new intrusions concentrating on 4 firms this yr, together with one of many largest wholesale shops in Russia, whereas concurrently making tactical enhancements to its toolset in an try and thwart evaluation.
“In each assault, the menace actor demonstrates in depth purple teaming expertise and the power to bypass conventional antivirus detection utilizing their very own customized malware,” Group-IB’s Ivan Pisarev mentioned.
Energetic since a minimum of November 2018, the Russian-speaking RedCurl hacking group has been linked to 30 assaults to this point with the aim of company cyber espionage and doc theft aimed toward 14 organizations spanning development, finance, consulting, retail, insurance coverage, and authorized sectors and situated within the U.Ok., Germany, Canada, Norway, Russia, and Ukraine.
The menace actor makes use of an array of established hacking instruments to infiltrate its targets and steal inner company documentation, akin to workers information, court docket and authorized recordsdata, and enterprise e mail historical past, with the collective spending anyplace from two to 6 months between preliminary an infection to the time information will get really stolen.
RedCurl’s modus operandi marks a departure from different adversaries, not least as a result of it would not deploy backdoors nor depend on post-exploitation instruments like CobaltStrike and Meterpreter, each of that are seen as typical strategies to remotely management compromised gadgets. What’s extra, regardless of sustaining entrenched entry, the group hasn’t been noticed conducting assaults which can be motivated by monetary acquire and contain encrypting sufferer infrastructure, or demanding ransoms for stolen information.
Reasonably, the emphasis seems to be to acquire useful data as covertly as attainable utilizing a mixture of self-developed and publicly out there applications to realize preliminary entry utilizing social engineering means, carry out reconnaissance, obtain persistence, transfer laterally, and exfiltrate delicate documentation.
“Espionage in our on-line world is a trademark of state-sponsored superior persistent threats,” the researchers mentioned. “Generally, such assaults goal different states or state-owned firms. Company cyber espionage remains to be a comparatively uncommon and, in some ways, distinctive prevalence. Nonetheless, it’s attainable that the group’s success might result in a brand new pattern in cybercrime.”