On December 2022, Trend Micro researchers identified a suspicious executable (detected by Trend Micro as Trojan.MSIL.REDCAP.AD) that was dropped and executed on multiple machines. The investigation led them to link this attack to advanced persistent threat (APT) group APT34, and the main goal is to steal users’ credentials. Even in case of a password reset or change, the malware is capable of sending the new credentials to the threat actors.
Moreover, after analyzing the backdoor variant deployed, we found the malware capable of new exfiltration techniques – the abuse of compromised mailbox accounts to send stolen data from the internal mail boxes to external mail accounts controlled by the attackers. While not new as a technique, this is the first instance that APT34 used this for their campaign deployment. Following this analysis, it is highly likely that this campaign’s routine is only a small part of a bigger chain of deployments.
Source: Trend Micro