Cybercrime Syndicates Escalate Corporate Espionage Tactics

In the intricate world of cybersecurity, malicious actors continuously refine their stratagems to breach corporate sanctuaries. Among these malefactors lies the Russian-speaking cybercrime syndicate, RedCurl, also known as Earth Kapre or Red Wolf. This group has tightened its grip on the technological realm since 2018, deploying insidious espionage against global targets.

In a recent disclosure, RedCurl has been reported to abuse the Windows Program Compatibility Assistant (PCA), specifically leveraging the pcalua.exe, to perpetrate unauthorized actions while cloaking their presence. The use of the PCA tool, ordinarily a facilitator for running desktop applications from outdated Windows versions, has become a Trojan horse granting escalated privileges. Adversaries utilize this PCA tool to slip past defenses, exploiting its functions for compatibility modes to evade detection and persist in their clandestine operations.

Intriguingly, the group snares its victims through a veneer of legitimacy, sending out bait in the form of phishing emails. These treacherous messages carry harmful attachments. Once clicked, they trigger a sequence of events: the initiation of the cmd.exe for the download of a curl utility, followed by the PCA spawning a downloader process. The incorporation of legitimate tools such as PowerShell and Impacket allows malicious commands to seamlessly weave through network defenses. The Trend Micro MDR team has illuminated this pattern, highlighting the critical role of threat intelligence to unmask the intricate web of tactics employed by Earth Kapre.

Concurrently, the notorious Turla group plies its malevolence with new tools of the trade. Their creation, the Pelmeni wrapper, debuts to orchestrate the Kazuar backdoor, shrouding it beneath the mask of legitimate libraries through the clever ruse of DLL side-loading. Once launched, Kazuar burrows with cunning, escaping the scrutinizing gaze of cyber guardians. The Pelmeni’s utilization marks a subtle but trenchant evolution in Turla’s corporate espionage arsenal, further complicating the already labyrinthine cybersecurity battleground. Detailed insights into these maneuvers are crucial, provided by Lab52 analysts, exposing the intricate fabric of Turla’s operations adorned with unseen threads of malicious code.

With corporate espionage exhibiting such chameleon-like adaptability, it becomes paramount for organizations to arm themselves with awareness and fortified defenses. Employee education on phishing, rigorous updating and patching protocols are no longer add-ons but necessities. As the digital space becomes a battleground, vigilance and preparation emerge as the twin pillars holding the fragile fort of security, challenged incessantly by these digital marauders.