The Russian hacker group Curly COMrades is abusing Microsoft Hyper-V in Windows to bypass endpoint detection and response solutions by creating a hidden Alpine Linux-based virtual machine to run malware.
Inside the virtual environment, the threat actor hosted its custom tools, the CurlyShell reverse shell and the CurlCat reverse proxy, which enabled operational stealth and communication.
Curly COMrades is a cyber-espionage threat group believed to be active since mid-2024. Its activities are closely aligned with Russian geopolitical interests.
[...] The researchers found that in early July, after gaining remote access to two machines, Curly COMrades executed commands to enable Hyper-V and disable its management interface.
Microsoft includes the Hyper-V native hypervisor technology that provides hardware virtualization capabilities in Windows (Pro and Enterprise) and Windows Server operating systems, allowing users to run virtual machines (VMs).
"The attackers enabled the Hyper-V role on selected victim systems to deploy a minimalistic, Alpine Linux-based virtual machine. This hidden environment, with its lightweight footprint (only 120MB disk space and 256MB memory), hosted their custom reverse shell, CurlyShell, and a reverse proxy, CurlCat," Bitdefender explains in a report shared with BleepingComputer.
By keeping the malware and its execution inside a virtual machine (VM), the hackers were able to bypass traditional host-based EDR detections, which lacked network inspection capabilities that could detect the threat actor's command and control (C2) traffic from the VM.
Although relying on virtualization to evade detection is not a new technique, the fragmented coverage of security tools makes it an effective approach on networks that lack a holistic, multi-layered protection.
In the Curly COMrades attacks, evasion was achieved by using the name 'WSL' for the VM, alluding to the Windows Subsystem for Linux feature in the operating system, in the hope of slipping unobserved.
The Alpine Linux VM was configured in Hyper-V to use the Default Switch network adapter, which passed all the traffic through the host's network stack.
"In effect, all malicious outbound communication appears to originate from the legitimate host machine's IP address," Bitdefender researchers explain.
The two custom implants deployed in the VM are ELF binaries based on libcurl and are used for command execution and traffic tunneling:
[...] The researchers note that the sophistication level of the investigated Curly COMrades attacks reveal an activity tailored for stealth and operational security. The hackers encrypted the embedded payloads and abused PowerShell capabilities, which led to minimum forensic traces on the compromised hosts.
Based on the observations in these attacks, Bitdefender suggests that organizations should monitor for abnormal Hyper-V activation, LSASS access, or PowerShell scripts deployed via Group Policy that trigger local account password resets, or creating new ones.
(Score: 3, Interesting) by VLM on Friday November 14, @12:44PM (1 child)
Geeze everyone is moving to Alpine, not just
(Score: 2) by crm114 on Friday November 14, @01:11PM
<sarcasm>
As it says on the tin: "Small. Simple. Secure."
Wouldn't YOU want those things if you had nefarious intentions?
</sarcasm>