RedCurl
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1087 | .001 | Account Discovery: Local Account |
RedCurl has collected information about local accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| .002 | Account Discovery: Domain Account |
RedCurl has collected information about domain accounts using SysInternal’s AdExplorer functionality .(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| .003 | Account Discovery: Email Account |
RedCurl has collected information about email accounts.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
RedCurl has downloaded 7-Zip to decompress password protected archives.(Citation: trendmicro_redcurl) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
RedCurl has established persistence by creating entries in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
RedCurl has used PowerShell to execute commands and to download malware.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
RedCurl has used the Windows Command Prompt to execute commands.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
||
| .005 | Command and Scripting Interpreter: Visual Basic |
RedCurl has used VBScript to run malicious files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| .006 | Command and Scripting Interpreter: Python |
RedCurl has used a Python script to establish outbound communication and to execute commands using SMB port 445.(Citation: trendmicro_redcurl) |
||
| Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
RedCurl used LaZagne to obtain passwords from web browsers.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
RedCurl has created its own tools to use during operations.(Citation: therecord_redcurl) |
| Enterprise | T1114 | .001 | Email Collection: Local Email Collection |
RedCurl has collected emails to use in future phishing campaigns.(Citation: group-ib_redcurl1) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
RedCurl has used AES-128 CBC to encrypt C2 communications.(Citation: group-ib_redcurl2) |
| .002 | Encrypted Channel: Asymmetric Cryptography |
RedCurl has used HTTPS for C2 communication.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
RedCurl added the “hidden” file attribute to original files, manipulating victims to click on malicious LNK files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
RedCurl has deleted files after execution.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
| Enterprise | T1056 | .002 | Input Capture: GUI Input Capture |
RedCurl prompts the user for credentials through a Microsoft Outlook pop-up.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1036 | .005 | Masquerading: Match Legitimate Name or Location |
RedCurl mimicked legitimate file names and scheduled tasks, e.g. ` MicrosoftCurrentupdatesCheck` and `MdMMaintenenceTask` to mask malicious files and scheduled tasks.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
RedCurl used LaZagne to obtain passwords from memory.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
RedCurl has used phishing emails with malicious files to gain initial access.(Citation: group-ib_redcurl1)(Citation: trendmicro_redcurl) |
| .002 | Phishing: Spearphishing Link |
RedCurl has used phishing emails with malicious links to gain initial access.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
RedCurl has created scheduled tasks for persistence.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
| Enterprise | T1218 | .011 | System Binary Proxy Execution: Rundll32 |
RedCurl has used rundll32.exe to execute malicious files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
| Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
RedCurl used LaZagne to obtain passwords in files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| .002 | Unsecured Credentials: Credentials in Registry |
RedCurl used LaZagne to obtain passwords in the Registry.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
||
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
RedCurl has used malicious links to infect the victim machines.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
| .002 | User Execution: Malicious File |
RedCurl has used malicious files to infect the victim machines.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)(Citation: trendmicro_redcurl) |
||
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.