Hacker group RedCurl is back, attacks retail

Hacker group RedCurl is back, attacks retail

Group-IB specialists discovered new attacks by RedCurl hackers, usually engaged in commercial espionage and stealing corporate documents from companies in various industries. Now an unnamed Russian retailer, included in the TOP-20 of the largest online stores in Russia, is “under the gun” of the group.

Last year, Group-IB specialists spoke for the first time about the Russian-language hack group RedCurl. RedCurl has been active since at least 2018. During this time, hackers have carried out 26 targeted attacks exclusively on commercial organizations. Among them were construction, financial, consulting companies, retailers, banks, insurance, legal and tourism organizations. At the same time, RedCurl did not have a clear geographical reference to any region: its victims were located in Russia, Ukraine, Great Britain, Germany, Canada and Norway. Now, seven months later, RedCurl attacks have resumed in 2021.

Hacker group RedCurl is back, attacks retail

“After a long break, the group returned to the cyber espionage arena. The attackers show deep skills in penetration testing and in developing malware that can bypass classic anti-virus defenses. This means that an increasing number of companies will be included in the list of victims of a group conducting targeted attacks with the aim of stealing internal company documents. Commercial espionage remains a rare and largely unique phenomenon. However, we do not exclude that the success of this group may set a new trend in the cybercrime arena, ”says Ivan Pisarev, head of the Group-IB’s dynamic malware analysis department.

Since the beginning of 2021, Group-IB has recorded 4 attacks, in two of which the identified victim was in Russia and was attacked twice. Thus, one of the largest Russian retailers, specializing in wholesale and retail trade on the Internet, suffered at the hands of hackers. Having found traces of the attack, Group-IB specialists promptly contacted the victim, provided the data and advised on the necessary actions to localize and stop the further development of the incident.

During the quiet period, the researchers note, the group made major improvements to their tools to achieve their primary goal of well-trained espionage.

Now, before the attack, RedCurl investigate their victim even more thoroughly: their “corporate identity” is to send phishing emails to different departments of the organization on behalf of the HR team. However, in new attacks on retail, RedCurl went even further and carried out two well-prepared mailings – one was “classic” – on behalf of the HR department of the victim organization, but the second – on behalf of the well-known state portal with the subject of the letter – “Initiation of enforcement proceedings “. Naturally, these letters had nothing to do with either the HR department or government agencies.

From the example of phishing emails, it can be seen that RedCurl actively uses social engineering – employees interested in the topic of bonuses, of course, click on the link indicated in the letter.

Hacker group RedCurl is back, attacks retail

After infecting a computer on the target organization’s network, RedCurl collects information about the victim’s infrastructure. First of all, hackers are interested in the version and name of the infected system, the list of network and logical drives, and the list of passwords. According to Group-IB, information stolen from the infected machine, the IP address and the time when the request was received are saved to a separate file on the server side. Interestingly, before saving to a file, the time is corrected taking into account the time zone of the city of Minsk (UTC + 3).

RedCurl is in no hurry in its attacks: it takes 2 to 6 months from the moment of infection to data theft. The group does not use classic post-exploitation tools like CobaltStrike or Meterpreter. Also, hackers have never been seen using standard and publicly available means of remote control of compromised devices. Initial infection, fixing on an infected device, promotion on the network, theft of documents – all this is done using self-written and several public tools. According to experts, this is why RedCurl’s actions and methods remain unique to the Russian-speaking hacker scene.

Despite the high level of control in the victim’s network, the group does not encrypt its infrastructure, does not withdraw money from accounts, and does not demand a ransom for stolen data. That is, it does nothing to realize the financial ambitions standard for cybercriminals. Typically, this indicates that the group is being rewarded for their “work” from other sources. Its task is to obtain valuable information as discreetly as possible.

First of all, RedCurl is interested in: business correspondence by e-mail, personal files of employees, documentation on various legal entities, court cases and other internal information. Even after the end of the attack, the victim may remain unaware that all her secrets have already “floated” to the RedCurl servers.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts