RedCurl
Aliases: None listed
RedCurl is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks. RedCurl is allegedly a Russian-speaking threat actor. The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Open interactive actor investigation
ATT&CK techniques
T1027
Obfuscated Files or InformationT1564.001
Hidden Files and DirectoriesT1102
Web ServiceT1114.001
Local Email CollectionT1039
Data from Network Shared DriveT1080
Taint Shared ContentT1204.002
Malicious FileT1005
Data from Local SystemT1119
Automated CollectionT1083
File and Directory DiscoveryT1059.003
Windows Command ShellT1059.001
PowerShellT1036.005
Match Legitimate Name or LocationT1566.001
Spearphishing AttachmentT1059.005
Visual BasicT1560.001
Archive via UtilityT1573.001
Symmetric CryptographyT1071.001
Web ProtocolsT1087.003
Email AccountT1587.001
MalwareT1087.001
Local AccountT1056.002
GUI Input CaptureT1082
System Information DiscoveryT1204.001
Malicious LinkT1573.002
Asymmetric CryptographyT1053.005
Scheduled TaskT1020
Automated ExfiltrationT1199
Trusted RelationshipT1537
Transfer Data to Cloud AccountT1202
Indirect Command ExecutionT1552.001
Credentials In FilesT1218.011
Rundll32T1087.002
Domain AccountT1566.002
Spearphishing LinkT1552.002
Credentials in RegistryT1070.004
File DeletionT1547.001
Registry Run Keys / Startup FolderT1555.003
Credentials from Web BrowsersT1059.006
PythonT1003.001
LSASS MemoryT1046
Network Service Discovery
Obfuscated Files or InformationT1564.001
Hidden Files and DirectoriesT1102
Web ServiceT1114.001
Local Email CollectionT1039
Data from Network Shared DriveT1080
Taint Shared ContentT1204.002
Malicious FileT1005
Data from Local SystemT1119
Automated CollectionT1083
File and Directory DiscoveryT1059.003
Windows Command ShellT1059.001
PowerShellT1036.005
Match Legitimate Name or LocationT1566.001
Spearphishing AttachmentT1059.005
Visual BasicT1560.001
Archive via UtilityT1573.001
Symmetric CryptographyT1071.001
Web ProtocolsT1087.003
Email AccountT1587.001
MalwareT1087.001
Local AccountT1056.002
GUI Input CaptureT1082
System Information DiscoveryT1204.001
Malicious LinkT1573.002
Asymmetric CryptographyT1053.005
Scheduled TaskT1020
Automated ExfiltrationT1199
Trusted RelationshipT1537
Transfer Data to Cloud AccountT1202
Indirect Command ExecutionT1552.001
Credentials In FilesT1218.011
Rundll32T1087.002
Domain AccountT1566.002
Spearphishing LinkT1552.002
Credentials in RegistryT1070.004
File DeletionT1547.001
Registry Run Keys / Startup FolderT1555.003
Credentials from Web BrowsersT1059.006
PythonT1003.001
LSASS MemoryT1046
Network Service Discovery