Cyber Threat Report: 'Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence'

The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident involving Earth Kapre (aka RedCurl), a threat group known for phishing campaigns across multiple countries. The group employs malicious attachments to infect systems, enabling unauthorized data collection and transmission to command-and-control (C&C) servers. The MDR team's analysis revealed the use of legitimate tools like PowerShell and curl.exe for downloading malware, and the Program Compatibility Assistant (pcalua.exe) to execute malicious commands and evade detection. The investigation also uncovered the abuse of scheduled tasks for persistence and the use of Impacket.

Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Limit Software Installation

Block users or groups from installing unapproved software.

Execution Prevention

Block execution of code on a system through application control, and/or script blocking.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Restrict Web-Based Content

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Software Configuration

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

Privileged Account Management

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

Disable or Remove Feature or Program

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

Code Signing

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

User Account Management

Manage the creation, modification, use, and permissions associated to user accounts.

Operating System Configuration

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.