The Russian-speaking hacking group RedCurl has been linked to ransomware operations for the first time, marking a shift in its tradecraft. Romanian cybersecurity firm Bitdefender uncovered the use of a new ransomware strain, QWCrypt, deployed through ISO files disguised as CVs. These files contain a fake screensaver file that executes malware via DLL side-loading.
Active since at least November 2018, RedCurl—also known as Earth Kapre and Red Wolf—has previously targeted entities across multiple countries, focusing on corporate espionage. Its phishing attacks use HR-themed lures, spam PDFs posing as CVs, and malware distributed through legitimate applications like Adobe’s “ADNotificationManager.exe.” Recent attacks leveraged a loader, “netutils.dll,” to download backdoor malware and establish persistence with scheduled tasks.
Image Source: eSentire via thehackernews
One attack involved deploying ransomware, targeting hypervisor-hosted virtual machines to disable infrastructure. The ransomware uses the “bring your own vulnerable driver” (BYOVD) method to bypass security and features a ransom note resembling styles from groups like LockBit, though no dedicated leak site has been identified. RedCurl’s shift to ransomware indicates an evolution in its threat profile.
Original article courtesy of thehackernews.com.
Enhance Your Business Security with Expert Cybersecurity Solutions. Click here to learn more and download shawcsIT’s free services overview catalogue.