After a seven-month absence, the cyber-espionage outfit RedCurl is back with new incursion attempts. To remain covert and avoid being examined, the gang has upgraded its toolkit. The organisation focuses on acquiring relevant information through the use of self-developed and publicly available software. It does not appear to be motivated by money.
According to analysts, the gang has made many tactical upgrades to its toolkit this year and has been detected targeting four firms, one of which is Russia’s largest wholesale retailer. The gang demonstrated considerable red teaming abilities in each attack and was able to avoid antivirus detection by utilising its own unique malware. To infiltrate its targets and obtain internal company information such as personnel records, court and legal papers, and enterprise email histories, the gang employs a variety of hacking techniques.
Hackers acquire early access using social engineering, then use the new FSABIN tool to undertake reconnaissance, gain persistence, and move laterally in the network.
Between the moment of infection and the time data is taken, the gang spends between two to six months.
Since November 2018, the RedCurl gang has been linked to 30 cyber espionage and document theft attempts. However, its attacks came to a halt around the end of 2020.
The group targeted 14 firms from various industries, including insurance, consulting, construction, retail, legal, and finance. The entities targeted were located in a variety of nations, including the United Kingdom, Germany, Russia, Canada, Ukraine, and Norway.
The RedCurl gang is primarily concerned with espionage and obtaining sensitive information from targeted entities. This stolen data might be utilized for other nefarious acts or sold on the dark web. As a result, enterprises are advised to implement appropriate security measures, such as encryption and multi-factor authentication, to safeguard critical data.