RedCurl Cybercrime Group Abuses Windows PCA Tool for Corporate Espionage

逆向病毒分析 1个月前 admin

12 0 0

The Russian-speaking cybercrime group called RedCurl is leveraging a legitimate Microsoft Windows component called the Program Compatibility Assistant (PCA) to execute malicious commands.
名为RedCurl的俄语网络犯罪组织正在利用一个名为程序兼容性助手（PCA）的合法Microsoft Windows组件来执行恶意命令。

“The Program Compatibility Assistant Service (pcalua.exe) is a Windows service designed to identify and address compatibility issues with older programs,” Trend Micro said in an analysis published this month.
“程序兼容性助手服务（pcalua.exe）是一项Windows服务，旨在识别和解决与旧程序的兼容性问题，”趋势科技在本月发表的一份分析中表示。

“Adversaries can exploit this utility to enable command execution and bypass security restrictions by using it as an alternative command-line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.”
“攻击者可以利用此实用程序启用命令执行，并通过将其用作替代命令行解释器来绕过安全限制。在这项调查中，威胁行为者使用此工具来掩盖他们的活动。

RedCurl, which is also called Earth Kapre and Red Wolf, is known to be active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.
RedCurl，也称为 Earth Kapre 和 Red Wolf，至少自 2018 年以来一直活跃，策划针对位于澳大利亚、加拿大、德国、俄罗斯、斯洛文尼亚、英国、乌克兰和美国的实体的企业网络间谍攻击。

In July 2023, F.A.C.C.T. revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to pilfer confidential corporate secrets and employee information.
2023 年 7 月，F.A.C.C.T. 透露，2022 年 11 月和 2023 年 5 月，一家俄罗斯大型银行和一家澳大利亚公司成为威胁行为者的目标，以窃取机密公司机密和员工信息。

The attack chain examined by Trend Micro entails the use of phishing emails containing malicious attachments (.ISO and .IMG files) to activate a multi-stage process that starts with the use of cmd.exe to download a legitimate utility called curl from a remote server, which then acts as a channel to deliver a loader (ms.dll or ps.dll).
趋势科技检查的攻击链需要使用包含恶意附件（.ISO 和 .IMG 文件）来激活一个多阶段过程，该过程首先使用 cmd.exe 从远程服务器下载名为 curl 的合法实用程序，然后充当交付加载程序（ms.dll或ps.dll）的通道。

The malicious DLL file, in turn, leverages PCA to spawn a downloader process that takes care of establishing a connection with the same domain used by curl to fetch the loader.
反过来，恶意 DLL 文件利用 PCA 生成一个下载程序进程，该进程负责与 curl 用于获取加载程序的同一域建立连接。

Also used in the attack is the use of the Impacket open-source software for unauthorized command execution.
攻击中还使用Impacket开源软件进行未经授权的命令执行。

The connections to Earth Kapre stem from overlaps in the command-and-control (C2) infrastructure as well as similarities with known downloader artifacts used by the group.
与地球卡普雷的联系源于命令和控制（C2）基础设施的重叠，以及与该组织使用的已知下载器工件的相似之处。

“This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries,” Trend Micro said.
“此案凸显了Earth Kapre构成的持续和积极威胁，Earth Kapre是一个针对多个国家不同行业的威胁行为者，”趋势科技说。

“The actor employs sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, showcasing its dedication to evading detection within targeted networks.”
“该行为者采用复杂的策略，例如滥用 PowerShell、curl 和程序兼容性助手（pcalua.exe）来执行恶意命令，展示了其在目标网络中逃避检测的奉献精神。”

The development comes as the Russian nation-state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun employing a new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.
这一发展正值被称为 Turla（又名 Iron Hunter、Pensive Ursa、Secret Blizzard、Snake、Uroburos、Venomous Bear 和 Waterbug）的俄罗斯民族国家组织开始使用代号为 Pelmeni 的新包装器 DLL 来部署 .基于 NET 的 Kazuar 后门。

Pelmeni – which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil, or ASUS – is loaded by means of DLL side-loading. Once this spoofed DLL is called by the legitimate software installed on the machine, it decrypts and launches Kazuar, Lab52 said.
Pelmeni – 伪装成与 SkyTel、NVIDIA GeForce Experience、vncutil 或 ASUS 相关的库 – 通过 DLL 旁加载加载。Lab52 说，一旦这个欺骗性的 DLL 被安装在机器上的合法软件调用，它就会解密并启动 Kazuar。