RedCurl
| Directly Linked Intrusion Sets | Red Wolf , Earth Kapre |
|---|
RedCurl is an intrusion set originally identified by Group-IB that has been active since at least 2018. Group-IB researchers have identified the groups goal as corporate cyber espionage and document theft.
Cyber Threat Graph Context
Explore how this Intrusion Set relates to the wider threat graph
RedCurl Threat Reports
Report
REDCURL - The pentest you didn't know about
This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate ...
References
bi-zone.medium.com
https://bi-zone.medium.com/hunting-the-hunter-bi-zone-traces-the-footsteps-of-red-wolf-3677783e164dgo.group-ib.com
https://go.group-ib.com/report-redcurl-enwww.trendmicro.com
https://www.trendmicro.com/en_us/research/24/c/unveiling-earth-kapre-aka-redcurls-cyberespionage-tactics-with-t.htmlwww.group-ib.com
https://www.group-ib.com/resources/research-hub/red-curl-2/go.group-ib.com
https://go.group-ib.com/report-redcurl-awakening-enMITRE ATT&CK Techniques
MITRE ATT&CK techniques observed in use by this intrusion set.
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1059.001 | PowerShell | Execution |
| T1003.001 | LSASS Memory | Credential Access |
| T1087.003 | Email Account | Discovery |
| T1005 | Data from Local System | Collection |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |
| T1218.011 | Rundll32 | Defense Evasion |
| T1114.001 | Local Email Collection | Collection |
| T1059.003 | Windows Command Shell | Execution |
| T1070.004 | File Deletion | Defense Evasion |
| T1566.002 | Spearphishing Link | Initial Access |
| T1555.003 | Credentials from Web Browsers | Credential Access |
| T1537 | Transfer Data to Cloud Account | Exfiltration |
| T1071.001 | Web Protocols | Command and Control |
| T1036.005 | Match Legitimate Name or Location | Defense Evasion |
| T1082 | System Information Discovery | Discovery |
| T1564.001 | Hidden Files and Directories | Defense Evasion |
| T1020 | Automated Exfiltration | Exfiltration |
| T1056.002 | GUI Input Capture | Collection, Credential Access |
| T1119 | Automated Collection | Collection |
| T1087.001 | Local Account | Discovery |
| T1547.001 | Registry Run Keys / Startup Folder | Persistence, Privilege Escalation |
| T1039 | Data from Network Shared Drive | Collection |
| T1102 | Web Service | Command and Control |
| T1087.002 | Domain Account | Discovery |
| T1080 | Taint Shared Content | Lateral Movement |
| T1552.002 | Credentials in Registry | Credential Access |
| T1204.002 | Malicious File | Execution |
| T1083 | File and Directory Discovery | Discovery |
| T1552.001 | Credentials In Files | Credential Access |
| T1027 | Obfuscated Files or Information | Defense Evasion |
| T1059.005 | Visual Basic | Execution |