RedCurl corporate data theft group is back: report

Corporate Infosec leaders are being warned of a resurgence of a dangerous actor who clearly specializes in stealing business data.

Dubbed Redcurl by Singapore-based dangerous intelligence firm Group-IB and described as a Russian-speaking hacker group, many of its 30 targets and 15 victims over the past four years are firms based in Russia. However, these also include victims from Canada, the US, the UK, Germany, Norway and Ukraine.

Group-IB's warning comes after the attacks of Redcurl went undetected for seven months. So far this year, it has given competition to four organizations.

The report said the victims included companies in the construction, finance, consulting, retail, insurance and law sectors.

The attacks begin with an employee falling for a spear-phishing email. Having gained a foothold in corporate networks, RedCurl's strategy is marked by extensive red teaming skills and the ability to bypass traditional anti-virus detection using custom malware.

What it doesn't do is use encrypted infrastructure, withdraw money from accounts, or demand a ransom for stolen data. "It is most likely that the group monetized their attacks in a different way," the report said.

"Commercial corporate cyber espionage is a rare and largely unique phenomenon," said Ivan Pisarev, head of Group-IB's dynamic malware analysis team. “However, we cannot deny that the success of RedCurl could set a new trend in the field of cybercrime.”

RedCurl specializes in sending spear-phishing emails coming from the victim organization's human resources department. Email subject lines allege that the content is about changes to employee incentive programs or other company news. Employees are often tempted to click on links with the promise of bonuses.

The report noted that during the slack in its activities, the group significantly improved its arsenal. For example, there are now five phases between the victim firm receiving the phishing email and the launch of the module responsible for executing the command. Threat Group has also added a new reconnaissance tool whose code shares many similarities with the FirstStageAgent module.

"Redcurls are known for their patience," the report said. The time period from the first infection to data theft can be anywhere from two to six months. The group does not use popular post-exploit tools such as CobaltStrike and Meterpreter. Nor has it been seen using specific methods of controlling tampered devices remotely. Instead, hackers use self-developed tools and some publicly available programs to gain early access, gain persistence, move later, and extract sensitive documents.