Hyper-V virtual machines have been targeted by Russian cyberespionage group RedCurl with its new QWCrypt ransomware, marking the operation's initial foray into ransomware, BleepingComputer reports.
Malicious emails with CV-spoofing IMG attachments that contain a screensaver file facilitate payload sideloading and persistence before RedCurl proceeds with the distribution of a custom wmiexec variant and Chisel tool for lateral movement and tunneling/remote desktop protocol access, respectively, the deactivation of security defenses, and the eventual delivery of the QWCrypt ransomware, according to findings from Bitdefender Labs researchers. Further analysis of QWCrypt showed its extensive command-line argument support that could exclude network gateway-serving VMs and enable intermittent encryption. RedCrul's integration of ransomware may indicate its operations as a third-party provider to other threat actors or a bid into covertly strengthening its income streams, noted Bitdefender. "The RedCurl group's recent deployment of ransomware marks a significant evolution in their tactics. This departure from their established modus operandi raises critical questions about their motivations and operational objectives," said Bitdefender.
