An unnamed Canadian consulting company is among those targeted by a newly-discovered threat actor which has been quietly stealing or trying to steal corporate documents for almost three years from 26 firms in six countries, says a report.
Released this morning, the report from a Singapore-based cybersecurity company Group-IB dubs the group RedCurl and says it has victimized 14 organizations.
While corporate espionage is rare among threat actors, the report predicts it will likely become more widespread.
Industries targeted by this group include construction, finance, consulting, retail, banking, insurance, law, and travel. Files stolen include confidential corporate documents such as contracts, financial documents, employee records and records of legal actions and facility construction.
Victim organizations have been in Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway.
Affected organizations were initially compromised by a well-written spear-phishing email apparently after detailed intelligence gathering. Each email seen by Group-IB targeted members of a specific team. Usually, the attackers posed as HR staff at the targeted organization. The emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.
A common theme across the emails seen so far is a message about annual bonuses with links to an attached document. That link went to an official-looking website on a legitimate cloud storage service. What it really did was deploy a Trojan downloader called RedCurl.Dropper that installed and launched other malware modules. Like the group’s other custom tools, the dropper was written in PowerShell.
After gaining access to the target network, says the report, the attackers scanned folders and office documents accessible from the infected computer, then selected copies of selected folders and files are uploaded. At the same time, all files with the extensions *.jpg, *.pdf, *.doc, *.docx, *.xls, *.xlsx found on network drives are replaced with modified LNK shortcuts. When such a file is opened by a user, RedCurl.Dropper is launched. This helps RedCurl infect new machines within the victim organization and propagate across the system.
The attackers also try to steal email credentials using the LaZagne tool, which extracts passwords from memory and from files saved in the victim’s web browser. If that fails, a Windows PowerShell script is deployed that displays a phishing pop-up Microsoft Outlook window to the victim. After gaining access to the victim’s email, RedCurl uses another PowerShell script to analyze and upload all documents of interest.
The RedCurl.Dropper Trojan, like the group’s other tools, does not connect directly to the attackers’ command and control server. Instead, all communication between the victim’s infrastructure and the attackers is ensured through legitimate cloud storage such as Cloudme, koofr.net, pcloud.com. All commands are passed as PowerShell scripts, allowing RedCurl to remain undetected by traditional security solutions for a long time.
The full report is available here. Registration required.