Canadian firm among those targeted by corporate espionage group: Report

An unnamed Canadian consulting company is among those targeted by a newly-discovered threat actor which has been quietly stealing or trying to steal corporate documents for almost three years from 26 firms in six countries, says a report.

Released this morning, the report from a Singapore-based cybersecurity company Group-IB dubs the group RedCurl and says it has victimized 14 organizations.

While corporate espionage is rare among threat actors, the report predicts it will likely become more widespread.

Industries targeted by this group include construction, finance, consulting, retail, banking, insurance, law, and travel. Files stolen include confidential corporate documents such as contracts, financial documents, employee records and records of legal actions and facility construction.

Victim organizations have been in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway.

Affected organizations were initially compromised by a well-written spear-phishing email apparently after detailed intelligence gathering. Each email seen by Group-IB targeted members of a specific team. Usually, the attackers posed as HR staff at the targeted organization. The emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.


Why staff fall for phishing


A common theme across the emails seen so far is a message about annual bonuses with links to an attached document. That link went to an official-looking website on a legitimate cloud storage service. What it really did was deploy a Trojan downloader called RedCurl.Dropper that installed and launched other malware modules. Like the group’s other custom tools, the dropper was written in PowerShell.

After gaining access to the target network, says the report, the attackers scanned folders and office documents accessible from the infected computer, then selected copies of selected folders and files are uploaded. At the same time, all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx found on network drives are replaced with modified LNK shortcuts. When such a file is opened by a user, RedCurl.Dropper is launched. This helps RedCurl infect new machines within the victim organization and propagate across the system.

The attackers also try to steal email credentials using the LaZagne tool, which extracts passwords from memory and from files saved in the victim’s web browser. If that fails, a Windows PowerShell script is deployed that displays a phishing pop-up Microsoft Outlook window to the victim. After gaining access to the victim’s email, RedCurl uses another PowerShell script to analyze and upload all documents of interest.

The RedCurl.Dropper Trojan, like the group’s other tools, does not connect directly to the attackers’ command and control server. Instead, all communication between the victim’s infrastructure and the attackers is ensured through legitimate cloud storage such as Cloudme,, All commands are passed as PowerShell scripts, allowing RedCurl to remain undetected by traditional security solutions for a long time.

The full report is available here. Registration required.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now