Uncover the emerging QWCrypt ransomware employed by the cybercriminal group RedCurl in targeted hypervisor attacks. This article outlines their strategies, including DLL sideloading and Living-off-the-Land (LOTL) techniques, while delving into the evolving landscape of the group’s cyber activities.
According to recent revelations from Bitdefender Labs, the notorious cyber threat group known as RedCurl, also referred to as Earth Kapre or Red Wolf, has undergone a significant transformation in its operational strategies. Traditionally characterized by a low-profile existence focused on covert data exfiltration, RedCurl is now associated with a new ransomware campaign that signifies a marked shift in its modus operandi. The ransomware strain, identified as QWCrypt, specifically targets hypervisors, thereby incapacitating vital infrastructure while maintaining an elusive presence.
“This new ransomware…is previously undocumented and stands apart from established ransomware families,” the report articulates, emphasizing the unique attributes of QWCrypt.
This new development prompts a critical reassessment of RedCurl’s operational framework, which has been largely enigmatic since the group emerged in 2018. The group’s selection of targets complicates any definitive classification of their activities.
Telemetry data indicates a primary focus on victims situated in the United States, with additional targets reported in Germany, Spain, and Mexico. Interestingly, some analysts have noted targets in Russia, indicating a broad geographical reach that is atypical for state-sponsored entities. Notably, there is no documented evidence of RedCurl engaging in the sale of stolen data, a common tactic within ransomware operations, which adds a layer of mystery to their motives.
Living-off-the-Land (LOTL)
The group has demonstrated a sophisticated operational approach, employing techniques such as DLL sideloading and exploiting Living-off-the-Land strategies, all while eschewing public leak sites—an approach that marks a significant departure from conventional ransomware practices.
In terms of their ransomware deployment, RedCurl’s initial access vector aligns with their historical methods: phishing emails containing IMG files disguised as CVs. When these files are activated, they initiate a malicious screensaver that loads a harmful DLL. This DLL is designed to retrieve the final ransomware payload while employing encrypted strings alongside legitimate Windows tools to evade detection.
Once within the target network, RedCurl engages in lateral movement tactics, leveraging Windows Management Instrumentation (WMI) and other native Windows tools to gather information and elevate their access privileges. Their sophisticated methods include utilizing a modified wmiexec tool that circumvents SMB connections, as well as Chisel, a TCP/UDP tunneling utility, which showcases their advanced techniques.
The ransomware delivery is notably precise. RedCurl utilizes batch files to disable endpoint security measures before executing the ransomware’s GO executable, known as rbcw.exe. This executable employs XChaCha20-Poly1305 encryption to encrypt virtual machines, strategically excluding network gateways to minimize collateral damage. The payload also embeds a hardcoded personal ID for victim identification. Interestingly, although the ransom note lacks originality, being a compilation from various ransomware groups, the absence of a dedicated data leak site further muddles the understanding of RedCurl’s intentions.
Bitdefender’s Hypotheses
Bitdefender has proposed two theories to elucidate RedCurl’s unconventional operations. The first suggests that they may function as “gun-for-hire” cyber mercenaries, which could explain their varied victim selection and erratic operational characteristics.
The second hypothesis theorizes that RedCurl aims to maintain a discreet profile while negotiating directly with victims, steering clear of public scrutiny to facilitate prolonged low-profile operations. This theory correlates with the group’s method of targeting hypervisors while deliberately leaving network gateways intact, signifying an intention to limit disruption primarily to IT departments.
In conclusion, Bitdefender advocates for a layered defense strategy that emphasizes enhanced detection and response capabilities as well as a concentration on preventing LOTL attacks. The organization stresses the critical importance of data protection, resilience, and advanced threat intelligence in mitigating the risks posed by groups such as RedCurl.
