← threatfilter.dev / all groups / RedCurl
RedCurl
Overview
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. RedCurl is allegedly a Russian-speaking threat actor. The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
TTPs — 41 techniques across 11 tactics
Resource Development
-
T1587.001Malware
Initial Access
-
T1199Trusted Relationship -
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1059.006Python -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027Obfuscated Files or Information -
T1036.005Match Legitimate Resource Name or Location -
T1070.004File Deletion -
T1202Indirect Command Execution -
T1218.011Rundll32 -
T1564.001Hidden Files and Directories
Credential Access
-
T1003.001LSASS Memory -
T1552.001Credentials In Files -
T1552.002Credentials in Registry -
T1555.003Credentials from Web Browsers
Discovery
-
T1046Network Service Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1087.001Local Account -
T1087.002Domain Account -
T1087.003Email Account
Lateral Movement
-
T1080Taint Shared Content
Collection
-
T1005Data from Local System -
T1039Data from Network Shared Drive -
T1056.002GUI Input Capture -
T1114.001Local Email Collection -
T1119Automated Collection -
T1560.001Archive via Utility
Command and Control
-
T1071.001Web Protocols -
T1102Web Service -
T1573.001Symmetric Cryptography -
T1573.002Asymmetric Cryptography
Exfiltration
-
T1020Automated Exfiltration -
T1537Transfer Data to Cloud Account
Reporting (2)
- RedCurl: The Awakening — Group-IB
- RedCurl: The Pentest You Didn’t Know About — Group-IB