Cyberespionage groups are always looking for novel ways to establish covert and long-term persistent access to compromised systems. The latest example comes from a Russian APT group known as Curly COMrades, which deploys Linux-based virtual machines on compromised Windows 10 machines to hide their malware tools.
“The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine,” researchers from Bitdefender wrote in a report on Curly COMrades’ activity. “This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat.”
Hyper-V is a bare-metal hypervisor included in Windows 10 and 11 Pro and Enterprise editions, as well as Windows Server. When the feature is enabled, users can create virtual machines with different operating systems that run on the same hardware as the Windows host.
Curly COMrades is a Russia-aligned APT group first documented by Bitdefender in August after it targeted key government and judicial organizations from EU-hopefuls Moldova and Georgia. The name comes from the group’s heavy usage of the curl.exe tool and its hijacking of Component Object Model (COM) objects for persistence.
The group is known for other novel techniques, such as inserting malware into the CLSID and COM handler associated with a Windows scheduled task that is enabled and executed by the system periodically when .NET applications are installed or updated. The obscure scheduled task corresponds to a Microsoft tool called NGEN (Native Image Generator).
The group’s Hyper-V abuse came to light after Bitdefender researchers continued their forensic investigation of the group’s activities and compromises with the help of the Georgian government’s CERT.
“By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections,” the researchers concluded. “EDR needs to be complemented by host-based network inspection to detect C2 traffic escaping the VM, and proactive hardening tools to restrict the initial abuse of native system binaries.”
Enabling Hyper-V covertly
Logs extracted from a compromised system revealed that the attackers first used the Windows Deployment Image Servicing and Management (DISM) command-line tool to enable the Hyper-V hypervisor itself, while also disabling its graphical management interface, Hyper-V Manager.
The group then downloaded a RAR archive masquerading as an MP4 video file and extracted its contents. The archive contained two VHDX (virtual hard disk) and VMCX (virtual machine configuration) files corresponding to a pre-built Alpine Linux VM.
The attackers then used the Import-VM and Start-VM PowerShell cmdlets to import the virtual machine into Hyper-V and start it with the name WSL — a deception tactic given that WSL on Windows stands for Windows Subsystem for Linux, another feature that allows running Linux containers under the Windows kernel. More popular than Hyper-V for virtualization on Windows, WSL is widely used by developers, making its presence less likely to receive scrutiny.
The Alpine Linux VM is very small and hosts only two custom implants that Bitdefender has dubbed CurlyShell and CurlCat. They are both built using libcurl, an open-source network transfer library that supports a large variety of protocols.
CurlyShell uses libcurl to connect to a command-and-control (C2) server and set up a reverse shell, meaning it listens for commands issued by the server, passes them to the Linux command line, and returns the output. Meanwhile, CurlCat acts as a proxy for tunneling SSH traffic as HTTP requests, making that traffic harder to detect by network monitoring tools.
Other malware tools
The researchers also found additional malware payloads left by the attackers on systems, including a custom PowerShell script used to inject a Kerberos ticket into LSASS to enable authentication and command execution on remote systems.
Another PowerShell script was pushed to multiple systems via domain Group Policy to change the password of an account called user or to create it if it didn’t exist. A variant of this script targeted an account called camera instead.
With the help of the Georgian CERT who seized one of the group’s C2 servers, the researchers were also able to analyze how attackers had set up their infrastructure, which proved equally sophisticated. The attackers had disabled certificate revocation in CurlCat, which allowed them to deploy custom certificates on their C2 server and still use encrypted HTTPS traffic. A proxy server listening to incoming traffic on port 443 (HTTPS) then decrypted and relayed that traffic to an SSH server with a custom configuration.
“The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation,” the researchers said. “To counter this, organizations must move beyond relying on a single security layer and implement defense-in-depth, multilayered security. It is critical to start designing the entire environment to be hostile to attackers.”
Bitdefender published indicators of compromise related to this attack campaign on GitHub.
No Responses