Cyberespionage groups are consistently innovating to secure long-term access to compromised systems, exemplified by the Russian APT group known as Curly COMrades. This group has recently been documented employing a novel method to hide their malware tools by deploying Linux-based virtual machines (VMs) on infected Windows 10 machines.
According to researchers from Bitdefender, the attackers enabled the Hyper-V feature on targeted systems, allowing them to create a streamlined, Alpine Linux-based VM that hosts their custom reverse shell, dubbed CurlyShell, alongside a reverse proxy known as CurlCat. This technique utilizes Windows’ Hyper-V, a bare-metal hypervisor, making it harder for traditional endpoint detection and response (EDR) tools to identify malicious activities.
Curly COMrades, which was first identified in August due to its attacks on key government and judicial bodies in Moldova and Georgia, has been notably innovative. The group’s moniker is a nod to their frequent use of the curl.exe tool and their manipulation of Component Object Model (COM) objects to maintain persistence on compromised systems.
The group’s infiltration methods include embedding malware into scheduled tasks executed by the Microsoft Native Image Generator (NGEN). Their use of Hyper-V was uncovered during continued investigations aided by the Georgian CERT, which assisted in analyzing compromised systems.
One significant advantage of isolating the malware within a VM is the evasion of many conventional host-based EDR detections, as noted by Bitdefender researchers. They emphasized that organizations need to enhance EDR systems and incorporate host-based network inspection to detect command and control (C2) traffic escaping from the VM.
To activate the Hyper-V feature covertly, logs from affected systems revealed the attackers utilized the Windows Deployment Image Servicing and Management (DISM) command-line tool. This method included disabling Hyper-V’s graphical management interface, thus reducing the chances of detection. Following this, they downloaded and extracted a RAR archive disguised as an MP4 file, which contained the necessary files to set up the Alpine Linux VM.
The attackers named the virtual machine "WSL" — a strategy intended to mislead, as Windows Subsystem for Linux (WSL) is a commonly used feature among developers, which could deter scrutiny. The lightweight VM, occupying only 120MB of disk space and 256MB of memory, operates their custom implants, CurlyShell and CurlCat. The former establishes a reverse shell, while the latter tunnels SSH traffic to simplify detection circumvention.
In addition to these malware components, researchers discovered other payloads, including a PowerShell script designed to inject a Kerberos ticket into the Local Security Authority Subsystem Service (LSASS) and another script targeting account credentials within the organization to facilitate further access.
Research efforts were backed by the interdiction of one of the group’s C2 servers by the Georgian CERT, allowing for an in-depth analysis of their infrastructure, revealing sophisticated tactics. For instance, the attackers disabled certificate revocation in CurlCat to deploy custom certificates for encrypted HTTPS traffic.
Overall, the sophistication demonstrated by Curly COMrades underscores a growing trend among threat actors to develop methods that navigate around prevalent security solutions, emphasizing the need for organizations to adopt a multilayered security approach.
For further information, references to Bitdefender’s findings can be found in their report. Additionally, the indicators of compromise related to this campaign have been published on GitHub.