Hackers Abuse Windows Feature: RedCurl’s Stealthy Attack

Trend Micro has unveiled novel cyberattack methodologies employed by the RedCurl group, which manipulates a legitimate Windows component to execute malevolent commands.

The Program Compatibility Assistant (PCA), designed to address compatibility issues with older programs, is now being exploited by malefactors to bypass security systems and covertly execute commands by using the tool as an alternative command-line interpreter.

RedCurl’s attack sequence involves phishing emails with malicious attachments in ISO and IMG formats to initiate a multistage process. This begins with downloading the curl utility from a remote server, which then serves as a conduit for delivering the loader (ms.dll or ps.dll).

The malicious DLL library, in turn, utilizes PCA to initiate the download process, establishing a connection with the same domain used by curl to download the loader. Additionally, cybercriminals employ the open-source software Impacket for unauthorized command execution.

Active since 2018 and first identified in 2019, the RedCurl group specializes in cyber espionage. The malefactors employ distinctive tools to pilfer business correspondence, personal employee data, and legal documents.