Description
[RedCurl](https://attack.mitre.org/groups/G1039) is a threat actor active since 2018 notable for corporate espionage targeting a variety of locations, including Ukraine, Canada and the United Kingdom, and a variety of industries, including but not limited to travel agencies, insurance companies, and banks.(Citation: group-ib_redcurl1) [RedCurl](https://attack.mitre.org/groups/G1039) is allegedly a Russian-speaking threat actor.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) The group’s operations typically start with spearphishing emails to gain initial access, then the group executes discovery and collection commands and scripts to find corporate data. The group concludes operations by exfiltrating files to the C2 servers.
Techniques Used (TTPs)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1564.001 — Hidden Files and Directories (defense-evasion)
- T1102 — Web Service (command-and-control)
- T1114.001 — Local Email Collection (collection)
- T1039 — Data from Network Shared Drive (collection)
- T1080 — Taint Shared Content (lateral-movement)
- T1204.002 — Malicious File (execution)
- T1005 — Data from Local System (collection)
- T1119 — Automated Collection (collection)
- T1083 — File and Directory Discovery (discovery)
- T1059.003 — Windows Command Shell (execution)
- T1059.001 — PowerShell (execution)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1059.005 — Visual Basic (execution)
- T1560.001 — Archive via Utility (collection)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1071.001 — Web Protocols (command-and-control)
- T1087.003 — Email Account (discovery)
- T1587.001 — Malware (resource-development)
- T1087.001 — Local Account (discovery)
- T1056.002 — GUI Input Capture (collection, credential-access)
- T1082 — System Information Discovery (discovery)
- T1204.001 — Malicious Link (execution)
- T1573.002 — Asymmetric Cryptography (command-and-control)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1020 — Automated Exfiltration (exfiltration)
- T1199 — Trusted Relationship (initial-access)
- T1537 — Transfer Data to Cloud Account (exfiltration)
- T1202 — Indirect Command Execution (defense-evasion)
- T1552.001 — Credentials In Files (credential-access)
- T1218.011 — Rundll32 (defense-evasion)
- T1087.002 — Domain Account (discovery)
- T1566.002 — Spearphishing Link (initial-access)
- T1552.002 — Credentials in Registry (credential-access)
- T1070.004 — File Deletion (defense-evasion)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1555.003 — Credentials from Web Browsers (credential-access)
- T1059.006 — Python (execution)
- T1003.001 — LSASS Memory (credential-access)
- T1046 — Network Service Discovery (discovery)
Total TTPs: 41