A Russian-speaking hacking group known as RedCurl has been associated with a ransomware campaign, marking a significant departure from their previous tactics.
According to research by Romanian cybersecurity firm Bitdefender, this campaign involves the use of a previously unknown ransomware strain called QWCrypt, which was discovered during an investigation into the group’s activities.
RedCurl, also referred to as Earth Kapre and Red Wolf, has been involved in corporate espionage attacks targeting various entities in multiple countries, including Canada, Germany, Norway, Russia, Slovenia, Ukraine, the United Kingdom, and the United States, with their activities dating back to at least November 2018.
Previous research by Group-IB in 2020 highlighted the group’s use of spear-phishing emails with Human Resources (HR)-themed lures to initiate the malware deployment process. More recently, in January, Huntress reported on attacks by the group targeting organizations in Canada to deploy a loader with basic backdoor capabilities.
Last month, Canadian cybersecurity company eSentire revealed that RedCurl used spam PDF attachments disguised as CVs and cover letters in phishing messages to sideload the loader malware using the legitimate Adobe executable “ADNotificationManager.exe.”
The attack sequence detailed by Bitdefender follows similar steps, utilizing mountable disk image (ISO) files disguised as CVs to initiate a multi-stage infection process. Within the disk image is a file masquerading as a Windows screensaver (SCR) but is actually the ADNotificationManager.exe binary, used to execute the loader (“netutils.dll”) through DLL side-loading.
“Upon execution, the netutils.dll immediately initiates a ShellExecuteA call with the open verb, directing the victim’s browser to https://secure.indeed.com/auth,” explained Martin Zugec, Technical Solutions Director at Bitdefender, in a report shared with The Hacker News.
“This act displays a legitimate Indeed login page, a deliberate distraction aimed at misleading the victim into believing they are simply opening a CV. This social engineering tactic creates a window of opportunity for the malware to operate undetected.”
 |
| Image Source: eSentire |
The loader, as per Bitdefender, also functions as a downloader for a next-stage backdoor DLL and establishes persistence on the host through a scheduled task. The newly retrieved DLL is then executed using Program Compatibility Assistant (pcalua.exe), a technique previously detailed by Trend Micro in March 2024.
The access provided by the implant enables lateral movement, allowing the threat actor to navigate the network, gather intelligence, and escalate their access. However, in a notable shift from their established modus operandi, one such attack also resulted in the deployment of ransomware for the first time.
“This targeted approach can be seen as an effort to inflict maximum damage with minimal effort,” Zugec noted. “By encrypting virtual machines hosted on hypervisors, making them unbootable, RedCurl effectively disables the entire virtualized infrastructure, impacting all hosted services.”
The ransomware executable, in addition to employing the bring your own vulnerable driver (BYOVD) technique to disable endpoint security software, gathers system information before initiating the encryption routine. Furthermore, the ransom note dropped after encryption appears to draw inspiration from LockBit, HardBit, and Mimic groups.
“This practice of repurposing existing ransom note text raises questions about the origins and motivations of the RedCurl group,” Zugec said. “Notably, there is no known dedicated leak site (DLS) associated with this ransomware, and it remains unclear whether the ransom note represents a genuine extortion attempt or a diversion.”
