RedCurl Ransomware Attacks Hypervisors
Bitdefender Labs’ analysis of the first digital extortion by RedCurl shows that attackers aim to remain undetected for as long as possible while causing maximum damage.
According to Bitdefender’s analysis, the attackers avoid end-user systems throughout the entire attack. By encrypting virtual machines hosted on hypervisors, they make booting the machines impossible. The attackers apparently want to remain hidden for as long as possible, creating a window of time to negotiate with a small portion of affected individuals in the company. This is why the perpetrators also avoid the usual ransomware publicity on dedicated leak sites (DLS).
The attack starts with a classic phishing email that disguises an IMG file as a resume with a screensaver file extension (CV APPLICANT 7802-91542.SCR). A .SCR file can easily hide an executable file. The IMG file, which is a sector-by-sector copy of storage hardware, is automatically mounted as a disk when the supposed resume is clicked, and the .exe file disguised as a .SCR is executed. The Adobe application provides a vulnerability for DLL sideloading.
Trend Mimicry of Legitimate Tools
The downloaded payload uses LOLBins (Living off the Land Binaries) techniques to conceal malicious actions behind legitimate tools. Such tools include the pcalua.exe utility for initial access, a Program Compatibility Assistant (PCA) tool. This tool usually ensures that older software versions run on newer Windows versions, but here it misuses binary files executed through the proxy. Rundll32.exe, a Windows tool for running Dynamic Link Libraries (DLLs), is repurposed for malicious DLLs. Once inside the system, the RedCurl attackers use remote Windows tools for administrators, such as powersehell.exe, wmic.exe, certutil.exe, and tasklist.exe. The ransomware attack also attempts to bypass IT security software.
The ransomware's main script is characterized by various parameters and allows for the targeted deletion of backups based on hostnames. To do this, the script removes specific backup directories and virtual hard disk files.
Criminal Portfolio with Unclear Motivation
The RedCurl group, also known as Earth Kapre or Red Wolf, has been active since 2018 and has primarily been known for using Living-off-the-Land techniques for cyber espionage and data exfiltration. Against a state-sponsored backdrop — such as cyber espionage — speaks the broad geographic distribution, especially in the USA, but also in Germany, Spain, Mexico, and, according to other experts, even Russia. Against a financial motive speaks the fact that RedCurl has not yet sold any data. Including ransomware in their criminal portfolio is a notable expansion of their tactics. The hackers' motives — apart from ransom acquisition — remain unclear.
