Hunting the hunter: BI.ZONE traces the footsteps of Red Wolf

BI.ZONE
4 min readJun 28, 2023

--

The cyber spies who had been on hiatus since 2022 make a surprising comeback. Red Wolf has been spotted penetrating company infrastructures for espionage purposes. By slowly moving forward in the compromised environments and not drawing much attention, the group managed to stay invisible for up to six months.

BI.ZONE Cyber Threat Intelligence team has detected a new campaign by Red Wolf, a hacker group that specializes in corporate espionage. Similar to its previous campaigns, the group continues to leverage phishing emails to gain access to the target organizations. To deliver malware on a compromised system, Red Wolf uses IMG files containing LNK files. By opening such a file an unsuspecting victim runs an obfuscated DLL file, which in its turn downloads and executes RedCurl.FSABIN on the victim's device. This enables the attackers to run commands in the compromised environment and transfer additional tools for post-exploitation.

Key findings

  • Red Wolf continues to use traditional malware delivery methods, such as phishing emails that contain links to download malicious files
  • In the campaign detected by BI.ZONE, the attackers used IMG files with malicious shortcuts to download and run RedCurl.FSABIN
  • The group’s arsenal includes its own framework as well as a number of conventional tools, such as LaZagne and AD Explorer. To address its post-exploitation objectives, the group actively uses PowerShell
  • Red Wolf focuses on corporate espionage and prefers to slowly move forward in the compromised IT infrastructure. By not drawing much attention, it can remain invisible for up to six months

Campaign

BI.ZONE Cyber Threat Intelligence team has unearthed a new campaign by the Red Wolf group (aka RedCurl) that has been active at least since June 2018 in Russia, Canada, Germany, Norway, Ukraine, and the United Kingdom.

The detected file (fig. 1) is an optical disk image. Once opened, it mounts onto the compromised system.

Fig. 1. Visible content of the disk image

The disk image contains an LNK file and a hidden folder #TEMP (fig. 2). The folder contains several DLL files, and only one of them has malicious content.

Fig. 2. Files in #TEMP

Opening the LNK file triggers the execution of rundll32 with the following parameters:

rundll32.exe #temp\mKdPDaed.dll,ozCutPromo

The DLL file opens a web page (fig. 3).

Fig. 3. Web page opened by the DLL file

After that, RedCurl.FSABIN gets downloaded from https://app-ins-001.amscloudhost[.]com:443/dn01 and stored at C:\Users\[user]\AppData\Local\VirtualStore\ under the name chrminst_[computer name in base64].exe. The strings in the file are encrypted with AES-128 CBC. The first part of the password for the key can be found directly in the malware sample, while the second one can be retrieved from the command line, for instance:

C:\Users\[redacted]\AppData\Local\VirtualStore\chrminst_[redacted].exe DOFBBdXC5DmPC

To achieve persistence in the compromised system, a task named ChromeDefaultBrowser_Agent_[computer name in base64] is created in the Windows Task Scheduler.

The backdoor uses Windows API to gather information on the number of processors, memory size, storage capacity, as well as information on the amount of time that passed since the launch of the operating system before the malware sample being launched. This checkup is needed to identify a virtual environment and bypass respective security and analysis tools. Once the checkup is completed, the backdoor sends information about the compromised system to the command-and-control server. This information includes the username, the computer name, the domain name, a list of files and folders in Program Files, Desktop, and AppData\Local, and the unique identifier. After that, the backdoor downloads the DLL and executes its exported function (in this case, yDNvu).

Conclusions

Despite the widely known attack techniques, Red Wolf still manages to bypass traditional defenses and minimize the likelihood of detection. By not drawing much attention, the group is able to remain unnoticed in the compromised infrastructure for a long time and achieve its goals.

How to detect the traces of Red Wolf

  1. Monitor the creation and mounting of small disk image files
  2. Pay attention to the DLL files run by rundll32 from #TEMP
  3. Track suspicious files run by the Windows Task Scheduler from C:\Users\[user]\AppData\Local
  4. Look for traces of network communications with subdomains *.amscloudhost[.]com
  5. Prioritize the detection of tactics, techniques, and procedures specific to Red Wolf

MITRE ATT&CK

Indicators of compromise

  • e7b881cd106aefa6100d0e5f361e46e557e8f2372bd36cefe863607d19471a04
  • 3bd054a5095806cd7e8392b749efa283735616ae8a0e707cdcc25654059bfe6b
  • 4188c953d784049dbd5be209e655d6d73f37435d9def71fd1edb4ed74a2f9e17
  • app-ins-001.amscloudhost[.]com
  • m-dn-001.amscloudhost[.]com
  • m-dn-002.amscloudhost[.]com

Detailed information about Red Wolf, its tactics, techniques, and procedures, as well as more indicators of compromise are available with BI.ZONE ThreatVision.

--

--

BI.ZONE

BI.ZONE: an expert in digital risks management. We help organizations around the world to develop their businesses safely in the digital age