Cyber Threat Report: 'Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence'
| Report Author | Trend Micro |
|---|---|
| Publication Date | 2024-03-06 |
| Original Reporting | Source |
| Related Intrusion Sets | Red Wolf , RedCurl , Earth Kapre |
The blog entry details an investigation by Trend Micro's Managed Extended Detection and Response (MDR) team into a cyberespionage incident involving Earth Kapre (aka RedCurl), a threat group known for phishing campaigns across multiple countries. The group employs malicious attachments to infect systems, enabling unauthorized data collection and transmission to command-and-control (C&C) servers. The MDR team's analysis revealed the use of legitimate tools like PowerShell and curl.exe for downloading malware, and the Program Compatibility Assistant (pcalua.exe) to execute malicious commands and evade detection. The investigation also uncovered the abuse of scheduled tasks for persistence and the use of Impacket.
Cyber Threat Graph Context
Explore how this report relates to the wider threat graph
Mitigations to defend against the techniques in this report
Audit
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.Limit Software Installation
Block users or groups from installing unapproved software.Execution Prevention
Block execution of code on a system through application control, and/or script blocking.Antivirus/Antimalware
Use signatures or heuristics to detect malicious software.User Training
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.Behavior Prevention on Endpoint
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.Restrict Web-Based Content
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.Network Intrusion Prevention
Use intrusion detection signatures to block traffic at network boundaries.Software Configuration
Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.Privileged Account Management
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.Disable or Remove Feature or Program
Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.Code Signing
Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.User Account Management
Manage the creation, modification, use, and permissions associated to user accounts.Operating System Configuration
Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.Identified MITRE ATT&CK Techniques
| ATT&CK ID | Title | Associated Tactics |
|---|---|---|
| T1202 | Indirect Command Execution | Defense Evasion |
| T1059.006 | Python | Execution |
| T1204.002 | Malicious File | Execution |
| T1059.003 | Windows Command Shell | Execution |
| T1566.001 | Spearphishing Attachment | Initial Access |
| T1204.001 | Malicious Link | Execution |
| T1059.001 | PowerShell | Execution |
| T1071.001 | Web Protocols | Command and Control |
| T1053.005 | Scheduled Task | Execution, Persistence, Privilege Escalation |