RedCurl APT Deploys Malware via Windows Scheduled Tasks Exploitation

Researchers identified RedCurl APT group activity in Canada in late 2024, where the attackers used scheduled tasks to execute pcalua.exe to run malicious binaries and Python scripts, including the RPivot client.py script to connect to a remote server. 

Evidence suggests data exfiltration to cloud storage as this APT group targets various industries and aims for long-term persistence for data collection.

The RedCurl malware leverages PowerShell to download files from a cloud storage location on bora.teracloud[.]jp/dav using HTTP GET requests, which are then unpacked using 7zip with a password stored in the batch file. 

The script then utilizes Python to execute client.py (a RPivot tool from Github) to connect to a predefined IP and port, while the malware harvests system information, including directory listings and running processes, archives and encrypts them with 7zip, and exfiltrates the data back to the C2 server via HTTP PUT requests.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

RedLoader, a backdoor component of the RedCurl malware, utilizes obfuscation techniques to evade detection by decrypting initial DLL names like bcrypt.dll using a rolling XOR routine and dynamically resolves functions within them. 

Encrypted function names are also decrypted using the same method. Subsequently, resolved functions from bcrypt.dll are employed to generate symmetric keys for further decryption of sensitive DLL names. 

A SHA256 hash of a static key (“PpMYfs0fQp5ERT”) serves as the basis for generating an AES key, adding another layer of encryption that demonstrates the malicious actor’s intent to conceal the malware’s true purpose and hinder analysis.

Adversaries are increasingly using living-off-the-land (LOTL) techniques to carry out attacks that involve using legitimate native Windows binaries and tools to accomplish malicious goals. 

This makes it difficult to distinguish LOTL attacks from normal system administration activity, as in this case, attackers used pcalua.exe in scheduled tasks to execute malicious files and scripts. 

RedCurl uses various techniques to infiltrate the system use legitimate cloud storage for exfiltration and leverage batch files, PowerShell, and Python scripts to execute their attacks. 

According to Huntress, the extraction of files from password-protected archives and archive files for the purpose of data exfiltration is largely accomplished through the use of 7zip.  

Security analysts can hunt for Python scripts that make network connections or identify processes creating network traffic looking for Python executables and can also look for the 7zip process with specific flags used for creating password-protected archive files and deleting the original files.  

Cyberespionage attacks often leverage legitimate software and Living-Off-The-Land (LOTL) techniques to evade detection that necessitating continuous monitoring for anomalous behavior. 

An effective defense requires proactive threat hunting for novel and unusual behaviors across the network, as a multi-layered defense strategy increases the likelihood of identifying suspicious activities and uncovering sophisticated attacks by highly motivated adversaries targeting valuable data.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates!