Cyber Threat Report: 'REDCURL - The pentest you didn't know about'

Report Author	Group-IB
Publication Date	2022-08-01
Original Reporting	Source
Related Intrusion Sets	RedCurl
Victim Sectors	Legal Services, Retail, Insurance, Financial Services, Construction

This report by researchers at Group-IB outlines activity by a group they call RedCurl. The report identifies victimology and motivation (corporate espionage) as well as outlining tactics, techniques and procedures used by the group between 2018 and 2022.

Cyber Threat Graph Context

Explore how this report relates to the wider threat graph

Mitigations to defend against the techniques in this report

Identified MITRE ATT&CK Techniques

ATT&CK ID	Title	Associated Tactics
T1059.001	PowerShell	Execution
T1003.001	LSASS Memory	Credential Access
T1087.003	Email Account	Discovery
T1005	Data from Local System	Collection
T1053.005	Scheduled Task	Execution, Persistence, Privilege Escalation
T1218.011	Rundll32	Defense Evasion
T1114.001	Local Email Collection	Collection
T1059.003	Windows Command Shell	Execution
T1070.004	File Deletion	Defense Evasion
T1566.002	Spearphishing Link	Initial Access
T1555.003	Credentials from Web Browsers	Credential Access
T1537	Transfer Data to Cloud Account	Exfiltration
T1071.001	Web Protocols	Command and Control
T1036.005	Match Legitimate Name or Location	Defense Evasion
T1082	System Information Discovery	Discovery
T1564.001	Hidden Files and Directories	Defense Evasion
T1020	Automated Exfiltration	Exfiltration
T1056.002	GUI Input Capture	Collection, Credential Access
T1119	Automated Collection	Collection
T1087.001	Local Account	Discovery
T1547.001	Registry Run Keys / Startup Folder	Persistence, Privilege Escalation
T1039	Data from Network Shared Drive	Collection
T1102	Web Service	Command and Control
T1087.002	Domain Account	Discovery
T1080	Taint Shared Content	Lateral Movement
T1552.002	Credentials in Registry	Credential Access
T1204.002	Malicious File	Execution
T1083	File and Directory Discovery	Discovery
T1552.001	Credentials In Files	Credential Access
T1027	Obfuscated Files or Information	Defense Evasion
T1059.005	Visual Basic	Execution

Cyber Threat Report: 'REDCURL - The pentest you didn't know about'

Cyber Threat Graph Context

Mitigations to defend against the techniques in this report

Privileged Account Management

Disable or Remove Feature or Program

Execution Prevention

Code Signing

Antivirus/Antimalware

Operating System Configuration

Password Policies

Behavior Prevention on Endpoint

Credential Access Protection

Privileged Process Integrity

User Training

Data Loss Prevention

User Account Management

Audit

Exploit Protection

Encrypt Sensitive Information

Restrict Web-Based Content

Software Configuration

Filter Network Traffic

Network Intrusion Prevention

Restrict File and Directory Permissions

Remote Data Storage

Identified MITRE ATT&CK Techniques