Hunt for RedCurl

SUMMARY :

Huntress uncovered RedCurl activity across several Canadian organizations in late 2024, tracing back to November 2023. RedCurl, known for cyberespionage, targets various industries to access confidential data without encrypting systems or demanding ransom. The group employs unique tactics, including the use of pcalua.exe for indirect command execution, scheduled tasks mimicking legitimate Windows processes, and Python scripts for reverse proxy tunnels. They utilize 7zip for file extraction and archiving, and leverage cloud storage for exfiltration. RedCurl's loader malware, RedLoader, employs obfuscation techniques like dynamic DLL resolution and string encryption. The attackers' infrastructure included domains resolving to multiple IP addresses, showing connections to previously observed RedCurl activity.

OPENCTI LABELS :

cyberespionage,redloader,cloud exfiltration


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Hunt for RedCurl