eSentire’s Threat Response Unit (TRU) has uncovered a new cyber espionage campaign leveraging a legitimate Adobe executable to sideload the EarthKapre/RedCurl loader. The attack specifically targeted a firm in the Legal Services industry, highlighting the group’s persistent focus on corporate espionage.
A Sophisticated Attack Chain
The TRU team said the initial foothold was gained through a phishing campaign, where targets received a PDF file masquerading as an Indeed job application.
The PDF contained links to a ZIP archive with an ISO image. Once the victim opened the image file, they encountered what appeared to be a CV file (“CV Applicant *.scr”), which in reality was a signed Adobe executable (“ADNotificationManager.exe”).
When executed, the file side-loaded a malicious DLL (netutils.dll), triggering the EarthKapre malware.
Advanced Espionage Tactics
Once inside the victim’s environment, EarthKapre executed a series of reconnaissance commands, leveraging SysInternals Active Directory Explorer to navigate corporate networks. The malefactors compressed and password-protected stolen data using 7-Zip, before exfiltrating it to a cloud storage provider known as Tab Digital via PowerShell PUT requests.
Further analysis by eSentire’s researchers revealed that the attack employed a series of sophisticated encryption techniques.
The first stage of the malware used a downloader with minimal detections on VirusTotal, employing AES decryption via bcrypt.dll APIs to decode strings and communicate with the attackers’ command-and-control (C2) infrastructure.
The malware also created a scheduled task to maintain persistence, disguising itself under the name “Google Corporation.”
A Growing List of Victims
EarthKapre, also dubbed RedCurl, has a history of targeting private-sector entities with espionage in mind. The use of job-themed phishing emails suggests that the group is honing its social engineering techniques to breach high-value legal and corporate targets.
TRU’s findings confirm that the adversaries remain highly adaptable, using living-off-the-land binaries (LOLBins) such as pcalua.exe and rundll32.exe to execute payloads while slipping through the security nets.
Mitigation and Response Strategies
eSentire quickly responded to this attack, sharing recommendations for businesses to protect themselves:
- Employee Awareness: Training staff to recognize phishing tactics, particularly those leveraging job application themes.
- Endpoint Protection: Blocking execution of unknown ISO and IMG files from email sources.
- Threat Intelligence: Using up-to-date threat intelligence feeds to uncover and block potential threats.
- Behavioral Analysis: Monitoring for suspicious scheduled tasks and unauthorized exfiltration attempts.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.