RedCurl Emerges as a Corporate Espionage APT

Written by

Security researchers have uncovered a prolific new APT group blamed for at least 26 targeted corporate espionage attacks on global firms since 2018.

Dubbed “RedCurl” buy Group-IB, the entity is thought to be Russian-speaking but previous targets were located in Russia, Ukraine, the UK, Germany, Canada, and Norway. Victims hail from a wide variety of industries including insurance, construction, retail, banking, law, finance and even travel agencies.

The end goal of attacks appears to be the theft of confidential corporate data such as contracts, financial documents, employee personal records, and information on legal action and facility construction.

Spear-phishing was used extensively to target specific teams in victim organizations, with the attackers posing as HR staff members and sending their emails to multiple recipients to avoid raising suspicion, the report claimed.

These messages were so carefully drafted that Group-IB claimed they resemble red team pen-testing exercises.

“To deliver the payload, RedCurl used archives, links to which were placed in the email body and led to legitimate cloud storage services. The links were disguised so that the victim would not suspect that opening the attached document about bonuses from the supposedly official website would deploy a Trojan, controlled by the attacker through the cloud, on the local network,” the vendor explained.

“The Trojan-downloader RedCurl.Dropper served as the attackers’ pass to the targeted system that installed and launched other malware modules. Like the group's other custom tools, the dropper was written in PowerShell.”

With access to a target network, the attackers then scan for folders and documents, and steal email log-ins via the LaZagne tool if they don’t find what they’re looking for.

RedCurl remains in victim networks for an average of two to six months. Persistence is maintained because all communication between the victim's infrastructure and the attackers is made via legitimate cloud storages such as Cloudme,, and, and all commands are passed as PowerShell scripts.

Rustam Mirkasymov, head of the Malware Dynamic Analysis Team at Group-IB, argued that corporate espionage is a relatively rare phenomenon in the APT world.

“For RedCurl, it makes no difference whether to attack a Russian bank or a consulting company in Canada. Such groups focus on corporate espionage and employ various techniques to cover their activity, including the use of legitimate tools that are difficult to detect,” he added.

“The contents of the victim’s documents and records can be much more valuable than the contents of their own wallets. Despite the lack of direct financial damage, which is typical of financially motivated cyber-criminal groups, the consequences of espionage can amount to tens of millions of dollars.”

It is hoped that with technical details and IOCs detailed in the report, organizations will be better able to detect and block RedCurl attacks in future.

What’s hot on Infosecurity Magazine?