The RedCurl Corporate Espionage Hackers are Back with New Hacking Tools

RedCurl, a corporate espionage organization that made headlines before disappearing last year, has reappeared with new breaches targeting four companies this year, including one of Russia’s largest wholesale retailers. According to researchers, it is also making tactical adjustments to its toolkit to thwart analysis.

The Russian-speaking RedCurl hacking group, active since November 2018, has been linked to 30 attacks to date, with the goal of cyber espionage and document theft aimed at 14 organizations in the construction, finance, consulting, retail, insurance, and legal sectors, and based in the United Kingdom, Germany, Canada, Norway, Russia, and Ukraine.

“The threat actor exhibits extensive red teaming skills and the ability to defeat typical antivirus detection utilizing their own unique malware in every attack,” said Ivan Pisarev of Group-IB.

To infiltrate its targets and acquire internal company material, such as staff records, court, legal papers, and enterprise email history. The threat actor employs a variety of well-known hacking tools, taking anywhere from two to six months from initial infection to data theft.

RedCurl’s approach differs from that of other attackers because it does not use backdoors or rely on post-exploitation tools like CobaltStrike and Meterpreter, both commonly used remotely to control compromised devices. Moreover, despite having entrenched access, the organization hasn’t been seen undertaking financially-motivated operations involving encrypting victim infrastructure or demanding ransoms for stolen data.

Rather, it appears that the focus is on obtaining valuable information as quietly as possible, using a combination of self-developed and publicly available programs to gain initial access via social engineering, conduct reconnaissance, maintain persistence, move laterally, and exfiltrate sensitive documentation.