Targeted BEC attacks steal business data in 6 countries, after pretending to be HR!

Targeted BEC attacks steal business data in 6 countries, after pretending to be HR!

A targeted business email compromise (BEC) traced back to the Russian-speaking RedCurl group has successfully taken information in 14 successful attacks on a number of businesses.

These were mainly construction companies, financial & consulting firms, retailers, insurance businesses, law firms & travel, in 6 countries.

The attackers stole employee profiles, client information & construction plans. RedCurl attempts to remain on a victim’s network as long as they can, usually for 2 to 6 months, observed Rustam Mirkasymov, a threat intelligence expert at Group-IB, which has released a report on the campaign.

Business Intelligence

“We don’t know for sure, but our theory is that RedCurl was hired to gather business intelligence for the competitors of the companies attacked,” Mirkasymov explained. “These were very targeted attacks & they were strictly a business intelligence gathering operation for profit, not the work of a nation-state. In fact, the group made attacks on Russian companies.”

Mirkasymov outlined that the spearphishing attacks date back to 2018 & were discovered in Russia, Ukraine, Canada, Germany, the UK & Norway. He further explained the emails displayed the targeted company’s address & logo & the sender’s address also used the targeted company’s domain name.

HR Team

“The attackers posed as members of the HR team at the targeted organisation & sent out emails to multiple employees simultaneously, which made the employees less watchful, especially because that many of them worked in the same department,” Mirkasymov observed.

In delivery, RedCurl used archives, links to which were placed inside the body of the email.

Public Cloud

Although the links redirected to public cloud storage services, the means by which were disguised fooled users into thinking that they were visiting the company’s official website, according to the report.

The vast majority of tools used in RedCurl campaigns are Windows PowerShell scripts. For example, a PowerShell script was used to launch RedCurl.Dropper & set up cloud storage as a network drive.


“So, the victims would click on what looked like a legitimate Office file or PDF document & then would connect to a legitimate cloud service where RedCurl would exfiltrate the data,” outlined Mirkasymov.

Mirkasymov counselled that to counteract RedCurl, security teams must disable PowerShell unless it is absolutely required.

He explained, for example, security pros can configure PowerShell to limit connections to servers with SSL scrips, & restrict PowerShell downloading remote files. Admins can also only restrict access to what is on the organisation’s ‘white list’.


Jamie Hart, Cyber Threat Intelligence Analyst at Digital Shadows, explained that security teams can mitigate the risk of RedCurl, & similar BEC campaigns by taking a wide approach to security that takes in the following:

  • Ensure email addresses are legitimate. When receiving an email, especially from an internal department such as the HR depart., make sure it comes from a genuine sender. Hovering the mouse over the sender’s address can show that an email address may actually originate from another address.
  • Call the alleged sender on the phone. RedCurl’s phishing messages are often sent from an attacker-registered domain that resembles the target’s domain name, & uses legitimate cloud services, so calling the internal department the email appears from decreases the potential for a legitimate email address to be used. Also, it eliminates the possibility of very similar email addresses being misread or mistaken for a legitimate one.
  • Educate employees regarding BECs, social engineering & spoofing. Training should include instructions on how to spot phishing emails, how to report suspicious emails & when to speak-up about suspicious links or attachments.