Redcurl Uses New Qwcrypt Ransomware In Hypervisor Attacks

Discover nan caller QWCrypt ransomware utilized by RedCurl successful targeted hypervisor attacks. This article specifications their tactics, including DLL sideloading and LOTL abuse, and explores nan group’s evolving cybercriminal activities.

Bitdefender Labs has revealed a displacement successful nan operational strategies of nan long-standing cyber threat group known arsenic RedCurl. This group, besides known arsenic Earth Kapre aliases Red Wolf, has historically maintained a debased profile, relying heavy connected covert information exfiltration. It has now been linked to a caller ransomware campaign, marking a melodramatic alteration successful their activities. This caller ransomware strain, dubbed QWCrypt, targets hypervisors, efficaciously crippling infrastructure while maintaining a stealthy presence.

“This caller ransomware…is antecedently undocumented and chopped from known ransomware families,” nan report states.

This find prompts a reevaluation of RedCurl’s operational model, which has remained mostly puzzling since their emergence successful 2018. The group’s targeting patterns further complicates their classification.

While telemetry information points to victims chiefly successful nan United States, pinch further targets successful Germany, Spain, and Mexico, different researchers person reported targets successful Russia, a wide geographical scope atypical for state-sponsored actors. The absence of immoderate humanities grounds of RedCurl trading stolen data, a communal believe successful ransomware operations, adds to nan mystery.

Living-off-the-Land (LOTL)

The group uses blase techniques, including DLL sideloading and nan maltreatment of Living-off-the-Land (LOTL) strategies, each while avoiding nan usage of nationalist leak sites, a captious displacement from emblematic ransomware operations.

The first entree vector utilized by RedCurl successful their ransomware deployment remains accordant pinch their erstwhile campaigns: phishing emails containing IMG files disguised arsenic CV documents. These files, erstwhile opened, execute a malicious screensaver file, which successful move loads a malicious DLL. This DLL past downloads nan last payload, utilizing encrypted strings and morganatic Windows devices to evade detection. 

Once wrong nan network, RedCurl employs lateral activity techniques, utilizing WMI and different built-in Windows devices to stitchery intelligence and escalate access. The group’s usage of a modified wmiexec tool, which bypasses SMB connections, and Chisel, a TCP/UDP tunneling tool, highlights their blase approach.

The ransomware deployment itself is highly targeted. RedCurl uses batch files to disable endpoint information and motorboat nan ransomware’s GO executable, rbcw.exe, which encrypts virtual machines utilizing XChaCha20-Poly1305 encryption and excludes web gateways.

The record besides includes a hardcoded individual ID for unfortunate identification.  The ransom note, researchers claim, is not original, but alternatively a compilation of sections from different ransomware groups. Additionally, nan absence of a dedicated information leak tract further complicates nan knowing of RedCurl’s motives.Bitdefender

Bitdefender’s Hypotheses

Bitdefender proposes 2 imaginable hypotheses to explicate RedCurl’s unconventional behaviour. The first suggests they whitethorn run arsenic “gun-for-hire” cyber mercenaries, explaining their divers victimology and inconsistent operational patterns.

The 2nd presumption posits that RedCurl prioritizes discreet, nonstop negotiations pinch victims, avoiding nationalist attraction to support extended, low-profile operations. This mentation is supported by nan group’s targeting of hypervisors while maintaining web gateways, suggesting an effort to limit disruption and confine nan onslaught to IT departments.

In conclusion, Bitdefender recommends a multilayered defense strategy, enhanced discovery and consequence capabilities, and a attraction connected preventing LOTL attacks to mitigate nan risks posed by groups for illustration RedCurl. They besides stress nan value of information protection, resilience, and precocious threat intelligence.