RedCurl: Hackers take action against companies in the UK and Germany

Researchers investigate 26 attacks against 14 organizations in 6 countries. RedCurl attacks companies with spear phishing. The hackers target business secrets and employee data.

The security provider Group-IB warns of a new Russian-speaking group of hackers that is said to have specialized in industrial espionage for around three years. The researchers have been following the activities of the RedCurl group since summer 2019. They hold the cyber criminals responsible for a total of 26 attacks against 14 organizations in 6 countries, including Germany.

Motif photo hacker (Image: Shutterstock)So far, companies in the construction, retail and travel sectors have been affected. Insurance companies, banks, law firms and consulting firms were also attacked in Russia, Ukraine, Canada, Great Britain, Norway and Germany. Mostly confidential documents with trade secrets were stolen, but also personal data of employees.

According to the analysis, instead of using sophisticated hacking tools, the hackers also use spear phishing to gain access to a victim’s network. “What is special about RedCurl is that the email content is carefully drafted,” said the researchers. “For example, the emails showed the address and logo of the target company, while the sender address contained the company’s domain name.”

The attackers often pretended to be employees of the human resources department and sent messages to several employees of a company. That made the phishing attack less suspicious, especially if the recipients worked in a department.

The emails, in turn, contained links to malware-infected files for victims to download. If the files were actually opened, they released several PowerShell-based Trojans.

So far, the researchers have only found these Trojans in RedCurl attacks. They allowed the hackers to search the infected systems and download additional malware. The upload of files to servers controlled by the hackers was also part of the range of functions. However, the hackers used the rarely used WebDAV protocol for this.

The hackers also tried to infect other systems on the network. Among other things, they replaced files on network shares with links that led to the malware instead of the actual files. “The phase of spreading over the network is significantly extended over time, as the group strives to remain unnoticed for as long as possible and not use active Trojans that could reveal their presence,” added the researchers.

To new heights with SkySQL, the ultimate MariaDB cloud

In this webinar we will introduce you to SkySQL, explain the architecture and explain the differences to other systems such as Amazon RDS a. You’ll also get a glimpse of the product roadmap, a live demo, and how you can get SkySQL up and running in minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *