In late 2024, researchers uncovered the presence of the RedCurl APT group conducting malicious activities in Canada. The attackers were found to be utilizing scheduled tasks to execute pcalua.exe, running malicious binaries and Python scripts, including the RPivot client.py script to establish a connection with a remote server.
The primary objective of this APT group seems to be data exfiltration to cloud storage, targeting a wide range of industries. The attackers aim to achieve long-term persistence for data collection purposes. The RedCurl malware employs PowerShell to download files from a cloud storage location on bora.teracloud[.]jp/dav using HTTP GET requests. These files are then unpacked using 7zip with a password stored in a batch file.
The Python script used in the attack runs client.py (a RPivot tool from Github), connecting to a predefined IP address and port. The malware is designed to harvest system information such as directory listings and running processes, archive and encrypt them with 7zip, and exfiltrate the data back to the C2 server via HTTP PUT requests.
One of the components of the RedCurl malware, known as RedLoader, employs obfuscation techniques to avoid detection. It decrypts initial DLL names like bcrypt.dll using a rolling XOR routine and dynamically resolves functions within them. Encrypted function names are decrypted using the same method, and resolved functions from bcrypt.dll are used to generate symmetric keys for further decryption of sensitive DLL names.
A static key (“PpMYfs0fQp5ERT”) is used to generate an AES key based on its SHA256 hash, adding an additional layer of encryption to conceal the malware’s true purpose and hinder analysis. Adversaries are increasingly leveraging living-off-the-land (LOTL) techniques to carry out attacks, making it challenging to distinguish malicious activities from legitimate system administration tasks.
RedCurl utilizes legitimate cloud storage for data exfiltration and leverages batch files, PowerShell, and Python scripts to execute their attacks. Security analysts can hunt for Python scripts making network connections, identify processes creating network traffic from Python executables, and look for the 7zip process with specific flags used for creating password-protected archive files and deleting the originals.
Continuous monitoring for anomalous behavior is crucial in combating cyberespionage attacks that utilize LOTL techniques. Proactive threat hunting for novel and unusual behaviors across the network is essential for effective defense. A multi-layered defense strategy increases the chances of identifying suspicious activities and uncovering sophisticated attacks by motivated adversaries targeting valuable data.