Full Report
The nefarious cyber-espionage hacking collective tracked as EarthKapre or RedCurl APT has resurfaced to target legal sector organizations using Indeed-themed phishing. In the latest attack, adversaries notorious for highly sophisticated offensive capabilities applied reconnaissance commands and tools, exfiltrated data, and deployed the EarthKapre/RedCurl loader. Detect RedCurl/EarthKapre APT Attacks In 2024, state-sponsored cyber groups from China, […] The post RedCurl/EarthKapre APT Attack Detection: A Sophisticated Cyber-Espionage Group Uses a Legitimate Adobe Executable to Deploy a Loader appeared first on SOC Prime.
Analysis Summary
# Threat Actor: RedCurl / EarthKapre
## Attribution & Identity
Sophisticated cyber-espionage group. The article references two related names: RedCurl and EarthKapre.
## Activity Summary
The described activity focuses on a recent attack technique where the threat actor uses a legitimate Adobe executable to deploy a loader onto a victim's system. The malware then performs data exfiltration, including sensitive system information gathered via batch files.
## Tactics, Techniques & Procedures
- **Initial Access/Execution:** Uses a legitimate Adobe executable to deploy a loader.
- **Data Staging/Exfiltration:**
- Decrypts HTTP request payloads (which were encoded in base64 and XORed).
- Steals the victim’s username, computer name, and a list of files/directories.
- Uses a batch file in the final stage to automate system info collection (user accounts, system data, disk information) and archiving for exfiltration.
## Targeting
- **Sectors:** Not explicitly specified in the provided excerpt, but context suggests highly sensitive organizations given the "cyber-espionage" designation.
- **Geography:** Not specified in the provided excerpt.
- **Victims:** Not specifically named in the provided excerpt.
## Tools & Infrastructure
- **Malware families used:** A custom loader.
- **Infrastructure (C2, domains, IPs):** Command and Control (C2) infrastructure is hosted on Cloudflare, specifically utilizing Cloudflare Workers.
## Implications
RedCurl/EarthKapre is a sophisticated threat actor employing fileless techniques (leveraging legitimate binaries) and advanced obfuscation (base64/XOR encryption) to conduct cyber-espionage, likely targeting valuable intellectual property or sensitive organizational data for long-term intelligence gathering.
## Mitigations
- Implement Group Policy measures to prevent the automatic mounting of ISO/IMG files.
- Deploy Endpoint Detection and Response (EDR) solutions across all workstations and servers.
- Maintain continuous cyber vigilance against evolving APT attacks.