In a significant evolution of cyberattack strategies, the RedCurl threat actor group has introduced a new ransomware variant named QWCrypt, specifically designed to target Microsoft Hyper-V servers. This development underscores a shift towards more focused and efficient attack methodologies within the cybercriminal landscape.
Background on RedCurl
Active since 2018, RedCurl—also known as Earth Kapre or Red Wolf—has primarily engaged in corporate espionage and data exfiltration. Historically, the group has maintained a low profile, utilizing Living-off-the-Land (LotL) techniques that leverage legitimate system tools to avoid detection. Their operations have spanned various industries and countries, including Russia, Ukraine, the United Kingdom, Germany, Canada, and Norway.
Introduction of QWCrypt
The emergence of QWCrypt marks a notable tactical shift for RedCurl. Unlike traditional ransomware that indiscriminately encrypts all endpoint devices, QWCrypt focuses exclusively on hypervisors. By targeting Hyper-V servers, the malware can disable entire virtualized infrastructures with minimal effort, maximizing damage while preserving network gateways. This approach confines the attack’s impact primarily to IT departments, preventing widespread disruption but rendering critical systems inaccessible.
Infection Mechanism
The attack begins with sophisticated phishing emails containing IMG files disguised as CV documents. When a recipient opens the attachment, Windows mounts the IMG file as a virtual drive, displaying a file named CV APPLICANT 7802-91542.SCR. This file appears legitimate but is, in fact, a malicious executable.
Upon execution, the malware exploits DLL sideloading vulnerabilities in legitimate Adobe executables. Specifically, clicking on the SCR file loads a malicious netutils.dll, initiating the attack chain. To distract the victim, a legitimate Indeed login page is opened in the browser simultaneously.
The malicious DLL acts as a downloader, utilizing wininet.dll functions to retrieve the final payload from a command and control server. Persistence is established through a scheduled task named \BrowserSpec\BrowserSpec_, which executes the payload indirectly via a chain of legitimate Windows utilities—a classic example of Living-off-the-Land techniques.
Deployment and Execution
After gaining initial access and establishing persistence, the attackers deploy the ransomware through custom-crafted batch files tailored to the victim’s environment. The ransomware executes with parameters specifically targeting Hyper-V environments:
“`
rbcw.exe –hv –excludeVM wingate,wingate,wingate –key %tkey% –nosd
“`
This command instructs the malware to encrypt Hyper-V virtual machines while excluding network gateways, demonstrating the attackers’ deep understanding of the target infrastructure. The strategy ensures that victims maintain network connectivity but cannot access their virtualized infrastructure, facilitating discreet ransom negotiations.
Implications and Recommendations
The introduction of QWCrypt by RedCurl highlights the increasing sophistication of ransomware attacks targeting virtualized environments. Organizations utilizing Hyper-V servers should be particularly vigilant. To mitigate the risk of such targeted attacks, it is recommended to:
– Enhance Phishing Awareness: Conduct regular training sessions to educate employees about the dangers of phishing emails and the importance of verifying the authenticity of unexpected attachments.
– Implement Robust Security Measures: Utilize advanced endpoint detection and response (EDR) solutions capable of identifying and mitigating LotL techniques and other sophisticated attack vectors.
– Regularly Update and Patch Systems: Ensure that all software, especially hypervisors like Hyper-V, are up-to-date with the latest security patches to close potential vulnerabilities.
– Monitor Network Activity: Establish continuous monitoring of network traffic to detect unusual patterns that may indicate a breach or ongoing attack.
By adopting these proactive measures, organizations can strengthen their defenses against the evolving threats posed by groups like RedCurl and their specialized ransomware variants.
