Summary: The eSentire Threat Response Unit uncovered a sophisticated cyber espionage campaign conducted by the RedCurl/EarthKapre threat group, targeting private-sector organizations using a multi-stage attack chain. Utilizing DLL sideloading techniques and cloud-based infrastructure, the attackers infiltrate networks via a seemingly innocuous job application email. Once inside their targets’ environments, they execute data collection and exfiltration strategies while maintaining stealth through encryption and exploitation of legitimate tools.
Affected: Private-sector organizations
Keypoints :
- The attack initiates through a spam email with an Indeed-themed PDF, leading victims to download a malicious ZIP archive.
- RedCurl/EarthKapre employs a multi-stage attack with advanced encryption techniques, including the use of bcrypt.dll APIs and AES encryption for payload delivery.
- Data exfiltration is carried out via PowerShell to cloud storage services, blending in with normal traffic to evade detection.