Targeted BEC attacks steal business data in six countries, posing as HR

Workers prepare to hoist a piece of steel at Tower One site, Lower Manhattan, New York City, USA. Construction firms were among those whose business data was stolen in targeted BEC attacks in six countries. (Photo by Joe Woolhead/Construction Photography/Avalon/Getty Images)

A targeted business email compromise (BEC) orchestrated by the Russian-speaking RedCurl group has successfully stolen information in 14 successful attacks on a variety of businesses – mostly construction companies, financial and consulting firms, retailers, insurance businesses, law firms and travel – in six countries.

The attackers nicked employee profiles, client information and construction plans. RedCurl attempts to remain on a victim’s network as long as possibly, usually for two to six months, said Rustam Mirkasymov, a threat intelligence expert at Group-IB, which released a report on the campaign.

“We don’t know for sure, but our theory is that RedCurl was hired to gather business intelligence for the competitors of the companies attacked,” Mirkasymov explained. “These were very targeted attacks and they were strictly a business intelligence gathering operation for profit, not the work of a nation-state. In fact, the group made attacks on Russian companies.”

Mirkasymov said the spearphishing attacks date back to 2018 and were discovered in Russia, Ukraine, Canada, Germany, the U.K. and Norway. He said the emails displayed the targeted company’s address and logo and the sender’s address also featured the targeted company’s domain name.

“The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department,” Mirkasymov said.

In delivering the payload, RedCurl used archives, links to which were placed in the body of the email. Even though the links redirected to public cloud storage services, the way they were disguised tricked users into thinking that they were visiting the company’s official website, according to the report. The vast majority of tools used in RedCurl campaigns are Windows PowerShell scripts. For example, a PowerShell script was used to launch RedCurl.Dropper and set up cloud storage as a network drive.

“So the victims would click on what looked like a legitimate Office file or PDF document and then would connect to a legitimate cloud service where RedCurl would exfiltrate the data,” said Mirkasymov.

Mirkasymov said to counteract RedCurl, security teams need to disable PowerShell unless it’s absolutely required. He said for example, security pros can configure PowerShell to restrict connections to servers with SSL scrips and restrict PowerShell downloading remote files. Admins can also only restrict access to what’s on the organization’s white list.

Jamie Hart, cyber threat intelligence analyst at Digital Shadows, said security teams can mitigate the risk of RedCurl and similar BEC campaigns by taking a well-rounded approach to security that includes the following:

  • Ensure email addresses are legitimate. When receiving an email, especially from an internal department such as the HR department, make sure it comes from a genuine sender. Hovering the mouse over the sender’s address can reveal that an email address may actually originate from another address.
  • Call the alleged sender on the phone. RedCurl's phishing messages are often sent from an attacker-registered domain that resembles the target’s domain name and uses legitimate cloud services, so calling the internal department the email appears from decreases the potential for a legitimate email address to be used. Additionally, it eliminates the possibility of very similar email addresses being misread or mistaken for a legitimate one.
  • Educate employees about BECs, social engineering and spoofing. Training should include instructions on how to spot phishing emails, how to report suspicious emails and when to speak up about suspicious links or attachments.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.