Introduction

This research, conducted by Bitdefender Labs, presents the first documented analysis of a ransomware campaign attributed to the RedCurl group (also known as Earth Kapre or Red Wolf). RedCurl has historically maintained a low profile, relying heavily on Living-off-the-Land (LOTL) techniques for corporate cyberespionage and data exfiltration. This shift to ransomware marks a significant evolution in its tactics.

This new ransomware, which we have named QWCrypt based on a self-reference ‘qwc’ found within the executable, is previously undocumented and distinct from known ransomware families.

By sharing our findings with the threat intelligence community and challenging existing assumptions, we hope to encourage further research of this unconventional threat actor that has been active since 2018.

RedCurl: A (Red) Wolf in Sheep’s Clothing?

RedCurl’s motivations raise more questions than answers. While frequently labelled a cyberespionage group, we find the evidence supporting this classification inconclusive.

Much of the existing analysis from fellow security researchers reiterates the cyberespionage claim, primarily focusing on technical aspects.  While technical analysis is crucial, we believe it’s equally important to examine its business model and the true motivations behind its actions for a complete operational picture.

Traditionally, cyberespionage is the domain of state-sponsored actors, the advanced persistent threats (APTs). Our telemetry has identified victims primarily in the United States, but also in Germany, Spain, and Mexico. Other researchers however reported targets in Russia, a broad geographical scope atypical for state-sponsored groups.

Data exfiltration, a common tactic in ransomware operations, is typically employed for extortion. Yet, we have found no historical evidence (until now) of RedCurl attempting to sell stolen data back to its victims, an unusual deviation. Furthermore, financially motivated groups rarely prioritise the theft of proprietary information for competitive advantage; we struggle to identify a comparable group.

The group’s revenue generation and operational objectives remain shrouded in mystery, particularly given its sustained activity since 2018. Consequently, its business model and true motivations remain unclear.

Hypothesis 1: Gun-For-Hire

Given the anomalies in RedCurl’s behaviour, we find it necessary to introduce a purely speculative hypothesis. It’s possible that RedCurl operates as a ‘gun-for-hire’ group, essentially cyber mercenaries. This would explain its diverse victimology and the lack of a clear, consistent operational pattern. Furthermore, this hypothesis could potentially explain its current interest in ransomware that targets infrastructure, rather than endpoint computers. In a mercenary model, ransomware could serve as a diversion, masking the true objective: a targeted data exfiltration operation. It’s also possible that RedCurl, having completed a data exfiltration contract, was not paid, leading it to use ransomware as an alternate way to monetise its access.

Hypothesis 2: Discreet Operations

RedCurl’s surprising introduction of hypervisor encryption, while maintaining network gateway functionality and avoiding endpoint encryption, suggests a deliberate effort to limit the attack’s impact to the IT department. This strategy, if intentional, posits that RedCurl prioritises discreet, direct negotiations with victims, minimising public attention.

The absence of publicly visible ransom demands, such as through a dedicated leak site (DLS), does not necessarily indicate that RedCurl is not directly approaching victims. It is plausible that it engages in private negotiations, further reinforcing its preference for discreet operations and explaining its lack of public victim announcements.

Such an approach enables extended, low-profile operations, ensuring consistent revenue across a broad client base and reducing its visibility to law enforcement. This hypothesis contrasts with the mercenary model, suggesting that RedCurl avoids public disclosure as a core operational strategy since 2018.

This hypothesis is further supported by recent industry trends. Our 2023 Cybersecurity Assessment Report revealed 42 per cent of respondents reporting pressure to conceal security breaches. Alarmingly, our upcoming 2024 report indicates this trend has worsened, showing an increase in concealed breaches.

Initial Access

RedCurl has traditionally relied on social engineering and spear-phishing to gain initial access to its targets. In its latest ransomware deployment, the initial infection vector remains consistent with previous RedCurl campaigns: phishing emails containing IMG files disguised as CV documents.

An IMG file is essentially a sector-by-sector copy of a storage device, like a virtual disk. When a victim clicks on the IMG file attached to the phishing email, Windows 10 and 11 have native support to automatically mount it as a virtual drive. With default configuration, Windows will also automatically open the mounted disk, displaying its contents in File Explorer. This is when the victim will see the file called ‘CV APPLICANT 7802-91542.SCR’.

Now, here’s a little secret most folks don’t know: screensaver (‘.SCR’) files are really just renamed executables. When you double-click a ‘.SCR’ file, Windows treats it like an executable, but with an additional ‘/S’ parameter, telling it to run in full screen mode. And here’s the fun part: this works both ways. You can absolutely rename a ‘.SCR’ file to ‘.EXE’ and run it (though you’d need to include the ‘/S’ parameter). But, just as easily, you can rename any ‘.EXE’ file to ‘.SCR’, and Windows will happily execute it. It’ll just add that ‘/S’ parameter, which won’t do anything unless the executable is designed for it.

CV APPLICANT 7802-91542.SCR is just a renamed copy of a legitimate Adobe executable, ADNotificationManager.exe, and this Adobe executable is vulnerable to DLL sideloading.

When an application starts, it often loads libraries (DLLs) to perform various functions. If an attacker can place a malicious DLL with the same name as a legitimate one in the same folder as the application, the application will load the malicious one instead (read our tech explainer for more details about this technique).

That’s exactly what’s happening here. When the victim clicks on that ‘.SCR’ file (which, remember, is just a renamed ‘.EXE’), Windows executes it. And because of that DLL sideloading vulnerability, it automatically loads a library containing malicious code named netutils.dll from the same folder.

After execution, the netutils.dll immediately launches a ShellExecuteA call with the open verb, directing the victim’s browser to https://secure.indeed.com/auth. This displays a legitimate Indeed login page, a calculated distraction designed to mislead the victim into thinking they are simply opening a CV. This social engineering tactic provides a window for the malware to operate undetected.

Simultaneously, netutils.dll acts as a downloader. Preliminary analysis of the netutils.dll downloader revealed other recurring characteristics observed in prior RedCurl campaigns, including the implementation of encrypted strings decrypted via bcrypt.dll. It uses wininet.dll functions to retrieve the final payload from the domain fall[.]dropconnect[.]workers[.]dev, using a custom user agent: ‘Mozilla/5.0 (Windows NT; Windows NT 10.0;) WindowsPowerShell/5.1.20134.790 (tQZyWLKnigaURyRIrnRG)’.

This final payload is stored in %APPDATA%BrowserSpecBrowserSpec_<base64 representation of the hostname>.dll. To establish persistence, a scheduled task named BrowserSpecBrowserSpec_<base64 representation of the hostname> is created. This scheduled task executes the final payload indirectly with the following command line: C:Windowssystem32pcalua.exe -a rundll32 -c shell32.dll,Control_RunDLL C:Users<user>AppDataRoamingBrowserSpecBrowserSpec_.<base64 representation of the hostname>.dll hard-wired-displacement.

This command line is a classic example of Living-off-the-Land (LOTL) techniques, a common tactic in modern cyberattacks (and remember, we’ve got a Tech Explainer on LOTL if you want to dive deeper.) Basically, it’s about using legitimate system tools to carry out malicious actions, making it harder for defenders to spot the bad stuff.

This backdoor, a straightforward but reliable tool, acts as its main entry point. Other security researchers have previously documented it under names like RedCurl.Downloader or Earth Kapre downloader. Since our research is focused on the first documented instance of ransomware in RedCurl operations, we won’t rehash the well-known behaviours of this malware that have already been covered.

Lateral Movement

Once RedCurl establishes its initial foothold, its focus shifts to navigating the network, gathering intelligence, and escalating its access.

With access to compromised user accounts across multiple systems, it used WMI to run commands on other computers. When it runs commands remotely, it sticks to built-in Windows tools. It doesn’t bring in any external tools, only rely on the LOTL techniques and use regular Windows tools like powershell.exe, wmic.exe, certutil.exe, or tasklist.exe.

Analysis revealed the use of a pen testing tool that used techniques mirroring those found in both the older, deprecated wmiexec-RegOut and the current wmiexec-Pro projects. This modified wmiexec is interesting because it only requires port 135 to function, bypassing the need for an SMB connection, which is often monitored by security tools. This tool outputs command results into files in C:WindowsTemp<6 random letters> or directly into the Windows Registry.

We also observed the use of Chisel, a fast TCP/UDP tunnel over HTTP. We suspect it was used for RDP access.

We’ve seen RedCurl stick to its usual playbook in most cases, continuing with data exfiltration over longer periods of time. However, one case stood out. It broke its routine and deployed ransomware for the first time.

Ransomware Deployment

The ransomware incident we observed with RedCurl stands out. Beyond the questions surrounding its motivation, its targeting strategy is also noteworthy. While most ransomware groups deploy their payloads across all endpoints (often using GPO or PsExec), and some extend to hypervisors, RedCurl targeted only hypervisors.

This focused targeting can be interpreted as an attempt to inflict maximum damage with minimum effort. By encrypting the virtual machines hosted on the hypervisors, making them unbootable, RedCurl effectively disables the entire virtualised infrastructure, impacting all hosted services. Interestingly, it deliberately excluded specific VMs that acted as network gateways, demonstrating its familiarity with the network implementation. The batch scripts used to launch the attack contained hardcoded information about the environment, including machine names, further indicating a highly targeted operation.

By keeping network gateways operational and avoiding endpoint encryption, RedCurl may have aimed to confine the attack to the IT team, preventing widespread disruption and user awareness.

Ransomware Note Analysis

Analysis of the ransom note reveals that it is not an original creation. Instead, it is composed of sections taken from the ransom notes of other known ransomware groups, including LockBit, HardBit, and Mimic group. This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group. Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion.

Conclusion and Recommendations

The RedCurl group’s recent deployment of ransomware marks a significant evolution in its tactics. This departure from its established modus operandi raises critical questions about its motivations and operational objectives. The highly targeted nature of the ransomware attack shows a well-planned and executed operation.

To mitigate the risk of ransomware attacks similar to the one deployed by RedCurl, and aligning with the insights provided in Bitdefender’s Ransomware Whitepaper (https://techzone.bitdefender.com/en/white-papers/ransomware-whitepaper.html), we recommend the following:

1. Multilayered Defence: Adopting a multilayered security approach is essential. Organisations should invest in a diverse range of security controls, including network segmentation and endpoint protection to create overlapping layers of defence against cyber threats.
2. Detection and Response: Despite your best efforts, it is still possible that modern threat actors will make it past your prevention and protection controls. This is where your detection and response capabilities come into play. Whether you get these capabilities as-a-product (EDR/XDR) or as-a-service (MDR), the purpose is to minimise the time when threat actors remain undetected. Bitdefender MDR team conducts a proactive search through an environment to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools.​ Use behavioural analysis and anomaly detection to identify suspicious activities, such as unusual tunnelling via tools like chisel or remote execution with wmiexec-RegOut.
3. Prioritise Living-off-the-Land (LOTL) Prevention: Almost all modern cybercriminals abuse legitimate system tools for malicious purposes, focus on preventing and detecting LOTL attacks. Implement strict application control to limit the execution of unauthorised scripts and binaries, even those signed by trusted vendors. Harden PowerShell and other scripting environments by enforcing execution policies and enabling enhanced logging. Monitor for unusual process executions and command-line arguments, as RedCurl leverages tools like curl.exe and wmic.exe for malicious activities. Additionally, restrict administrative privileges and implement least-privilege principles to limit the impact of compromised accounts.
4. Enhance Data Protection and Resilience: While backups are often considered a core defence against ransomware, they are usually less effective than assumed due to malicious targeting. Implement immutable backups, isolated from the production network, and regularly test recovery procedures. Exercise caution with backup solutions that rely on Shadow Volume Copies, as these are frequently targeted and deleted by ransomware, as evidenced by RedCurl’s default deletion of shadow volumes. Encrypt sensitive data at rest and in transit to minimise data breach impacts.
5. Advanced Threat Intelligence: The right threat intelligence solutions can provide critical insights about attacks. Bitdefender IntelliZone consolidates all the information we’ve gathered about RedCurl operations. If you already have an Intellizone account you can find additional structure information under Threat ID XYZ.

By implementing these recommendations, organisations can strengthen their defences and better protect against the evolving threat landscape posed by sophisticated cyber adversaries.

We would like to thank Stefan Ioja, Adrian Schipor, Victor Vrabie, and Bogdan Zavadovschi for help with putting this advisory report together.