Uncover the novel QWCrypt ransomware utilized by RedCurl in focused hypervisor assaults. This text particulars their ways, together with DLL sideloading and LOTL abuse, and explores the group’s evolving cybercriminal actions.
Bitdefender Labs has revealed a shift within the operational ways of the long-standing cyber risk group often known as RedCurl. This group, also called Earth Kapre or Crimson Wolf, has traditionally maintained a low profile, relying closely on covert knowledge exfiltration. It has now been linked to a novel ransomware marketing campaign, marking a dramatic change of their actions. This new ransomware pressure, dubbed QWCrypt, targets hypervisors, successfully crippling infrastructure whereas sustaining a stealthy presence.
“This new ransomware…is beforehand undocumented and distinct from recognized ransomware households,” the report states.
This discovery prompts a reevaluation of RedCurl’s operational mannequin, which has remained largely puzzling since their emergence in 2018. The group’s concentrating on patterns additional complicates their classification.
Whereas telemetry knowledge factors to victims primarily in america, with further targets in Germany, Spain, and Mexico, different researchers have reported targets in Russia, a broad geographical scope atypical for state-sponsored actors. The absence of any historic proof of RedCurl promoting stolen knowledge, a standard observe in ransomware operations, provides to the thriller.
Residing-off-the-Land (LOTL)
The group makes use of refined strategies, together with DLL sideloading and the abuse of Living-off-the-Land (LOTL) methods, all whereas avoiding the usage of public leak websites, a vital shift from typical ransomware operations.
The preliminary entry vector utilized by RedCurl of their ransomware deployment stays in keeping with their earlier campaigns: phishing emails containing IMG information disguised as CV paperwork. These information, when opened, execute a malicious screensaver file, which in flip masses a malicious DLL. This DLL then downloads the ultimate payload, utilizing encrypted strings and bonafide Home windows instruments to evade detection.
As soon as contained in the community, RedCurl employs lateral motion strategies, using WMI and different built-in Home windows instruments to assemble intelligence and escalate entry. The group’s use of a modified wmiexec device, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling device, highlights their refined strategy.
The ransomware deployment itself is very focused. RedCurl makes use of batch information to disable endpoint safety and launch the ransomware’s GO executable, rbcw.exe, which encrypts digital machines utilizing XChaCha20-Poly1305 encryption and excludes community gateways.
The file additionally features a hardcoded private ID for sufferer identification. The ransom be aware, researchers declare, is just not unique, however relatively a compilation of sections from different ransomware teams. Moreover, the absence of a devoted knowledge leak website additional complicates the understanding of RedCurl’s motives.Bitdefender
Bitdefender’s Hypotheses
Bitdefender proposes two potential hypotheses to elucidate RedCurl’s unconventional behaviour. The primary suggests they might function as “gun-for-hire” cyber mercenaries, explaining their numerous victimology and inconsistent operational patterns.
The second speculation posits that RedCurl prioritizes discreet, direct negotiations with victims, avoiding public consideration to keep up prolonged, low-profile operations. This idea is supported by the group’s concentrating on of hypervisors whereas sustaining community gateways, suggesting an try to restrict disruption and confine the assault to IT departments.
In conclusion, Bitdefender recommends a multilayered protection technique, enhanced detection and response capabilities, and a deal with stopping LOTL assaults to mitigate the dangers posed by teams like RedCurl. In addition they emphasize the significance of knowledge safety, resilience, and superior risk intelligence.
