Hacked but not broken: how a Russian bank fought against RedCurl hacker attacks
Hackers do not give up and are looking for any way to steal confidential data.
The Russian information security company FACCT has recorded new attacks by the RedCurl hacker group, known for its activities in the field of commercial espionage and theft of corporate information.
The detected attacks were directed at one of the main banks in Russia, which was subjected to cyberattacks twice: the first time using specialized phishing emails on behalf of a major Russian marketplace, and the second time through a bank contractor.
Recent report FACCT details the RedCurl attacks that took place in November 2022 and May 2023. In both cases, the primary strategy for infiltrating the corporate network was to use phishing emails with malware. The letters were written on behalf of the marketplace and promised family members and employees a corporate discount of 25% on all products.
RedCurl phishing email example
The target of the November hack was a well-known Russian bank from the list of systemically important credit institutions. Despite an attempt by cybercriminals to carry out malicious mailings, their emails were detected, blocked, and did not reach recipients thanks to the email protection system installed in the banking infrastructure.
After the first failed attempt, the RedCurl hackers targeted the bank’s contractor using the tactic of attacking the supplier (Supply Chain). Having established control over the computer of the contractor’s employee, presumably through a phishing campaign, the attackers gained access to a shared network drive with the client’s documents, which allowed them to penetrate the infrastructure of the financial institution.
During the investigation of incidents in November 2022 and May 2023, FACCT specialists collected and analyzed RedCurl malware samples.
At the first stage of the infection, the group used the RedCurl.SimpleDownloader downloader, which was specially developed for the new campaign using the marketplace brand. FACCT experts believe that this is a new full-fledged tool that will be modified and used in future RedCurl attacks.
The next step used the updated “RedCurl.Downloader” loader to download the “RedCurl.Extractor”. This program is used to install the “RedCurl.FSABIN” agent, which, in turn, provides attackers with remote access to an infected computer.
The FACCT spokesman emphasized that groups such as RedCurl pose a threat to Russian companies that do not have solutions to prevent sophisticated attacks early. Even though the email protector stopped the attack, the cybercriminals found a weak link in the vendor, an attack vector that needs to be considered as well.
IN his report FACCT specialists described the infection chains of the RedCurl group, indicators of compromise (IoC) and protection recommendations in accordance with the MITER ATT&CK matrix.