Emerging Threat: RedCurl Cyberspies Deploy Ransomware to Target Hyper-V Servers

Since 2018, the cyber-espionage group known as 'RedCurl' has been conducting covert operations against corporate entities worldwide. Traditionally focused on data exfiltration, recent intelligence indicates a concerning shift in their tactics: the deployment of ransomware specifically designed to encrypt Hyper-V virtual machines.

Evolution of RedCurl's Attack Strategies

Bitdefender Labs researchers have observed that RedCurl's recent campaigns commence with phishing emails containing ".IMG" attachments masquerading as job applications. These disk image files, when opened, automatically mount as new drives on Windows systems. Within these drives, a screensaver file vulnerable to DLL sideloading is executed using a legitimate Adobe executable, facilitating the download of malicious payloads and establishing persistence through scheduled tasks.

To maintain stealth and lateral movement within compromised networks, RedCurl employs:

• Living-off-the-land tools: Utilizing native Windows utilities to avoid detection.
• Custom wmiexec variant: Enabling lateral movement without triggering security alerts.
• Chisel tool: Establishing tunneling and Remote Desktop Protocol (RDP) access.

Prior to deploying ransomware, the attackers disable security defenses using encrypted 7z archives and a multi-stage PowerShell process.

Introduction of QWCrypt Ransomware

RedCurl's proprietary ransomware, dubbed "QWCrypt," exhibits advanced functionalities tailored for targeting Hyper-V virtual machines:

• Command-line arguments: Allowing customization of attacks, including options to exclude specific VMs, encrypt Hyper-V VMs, terminate VM processes, and toggle VM shutdowns.
• Selective encryption: Supporting intermittent encryption and selective file encryption based on size to optimize attack speed.

Notably, in observed attacks, RedCurl utilized the "--excludeVM" argument to avoid encrypting virtual machines serving as network gateways, thereby minimizing operational disruptions. The QWCrypt encryptor employs the XChaCha20-Poly1305 encryption algorithm, appending either the ".locked$" or ".randombits$" extension to encrypted files.

Implications and Recommendations

The evolution of RedCurl's tactics to include ransomware deployment signifies a broader trend among cyber threat actors adapting to virtualized environments. Organizations relying on virtualization platforms like Hyper-V must adopt proactive cybersecurity measures:

1. Enhanced Phishing Defenses: Implement comprehensive email filtering solutions and conduct regular employee training to recognize and report phishing attempts.
2. Network Segmentation: Isolate critical systems and virtual machines to limit lateral movement opportunities for attackers.
3. Regular Security Audits: Perform continuous assessments of network infrastructures to identify and remediate vulnerabilities.
4. Advanced Threat Detection: Deploy behavioral analysis tools capable of detecting anomalous activities indicative of sophisticated threats.

For an in-depth analysis of RedCurl's recent activities, refer to the original report by BleepingComputer:

At AGT (Advanced German Technology), we are committed to providing cutting-edge cybersecurity solutions to protect your organization's critical assets against evolving threats.

Contact AGT Experts: https://agt-technology.com/contact-us/

Source: https://www.bleepingcomputer.com/

#AdvancedGermanTechnology #CyberSecurity #RedCurl #Ransomware #HyperV

?