FlagThis

CyberSecurity updates
2025-02-22 14:11:58 Pacfic
Oleg (noreply@blogger.com) @ Know Your Adversary
RedCurl APT Abuses PowerShell for Data Exfiltration - 4d
Read more: www.knowyouradversary.ru

The RedCurl APT, also known as Earth Kapre or Red Wolf, has been observed abusing PowerShell for data collection and exfiltration. According to a report by eSentire, this sophisticated cyber espionage group is actively targeting private sector organizations, with a particular focus on corporate espionage. The attackers use a multi-stage intrusion to bypass conventional defenses, starting with phishing ploys and breaking down the intrusion into stages.

RedCurl leverages PowerShell in several key steps of their attacks. First, they use 7-Zip to archive collected data, employing specific command-line parameters like "x", "-aoa", "-p", and "-o" during the archival process. Then, PowerShell is used to exfiltrate the archived data via MSXML2.ServerXMLHTTP and ADODB.Stream, employing commands such as "LoadFromFile", "PUT", and "Send". eSentire's Threat Response Unit (TRU) advises tracking these specific PowerShell executions and command-line arguments to detect and mitigate RedCurl's activities.

Original img attribution: https://blogger.googleusercontent.com/img/a/AVvXsEjs0-NHHC6RC6nObhMcMls98VhDY_f84trteznQ4f38vwpJTexMMLzkr9IMmGuM_Yrm0UtQgJ4Y32UpAVZraBQzKqSvExLs4dlWumkRgNE5p97sKAzbHPfovdzKm90Y4dY24blL6r6T6w67HRHDylxWvaKBsluD8o8-al3s0Do6cuz-ibzLYhwl0LhMn3hO=w1200-h630-p-k-no-nu
ImgSrc: blogger.googleusercontent.com
References:
  • www.esentire.com - eSentire report on RedCurl abusing PowerShell. - 5d
  • Know Your Adversary - RedCurl Abuses PowerShell for Collection and Exfiltration: Detection Opportunities - 5d
  • Information Security Buzz - eSentire Uncovers EarthKapre/RedCurl Attack Targeting Law Firms - 4d
  • socprime.com - RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader - 4d
  • @VirusBulletin - eSentire researchers summarise a recent investigation into an attack by the RedCurl/EarthKapre APT against an organization within the legal services industry. The group primarily targets private-secto - 4d
  • SOC Prime Blog - The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing. - 4d
  • Talkback Resources - Unraveling the Many Stages and Techniques Used by RedCurl/EarthKapre… [net] [mal] - 4d

Classification:

This site is an experimental news aggregator using feeds I personally follow. You can provide me feedback using this form or using Bluesky.