Exploiting Virtualization: The Tactics of Curly COMrades
In a striking revelation, Bitdefender’s senior security researcher, Victor Vrabie, detailed how the Russian cyber group known as Curly COMrades is leveraging Microsoft’s Hyper-V hypervisor to orchestrate sophisticated attacks on compromised Windows machines. This operation involves the creation of a concealed Alpine Linux-based virtual machine (VM), which deftly circumvents traditional endpoint security measures, thereby granting the attackers prolonged access to targeted networks for espionage and malware deployment.
According to Vrabie, this covert environment is remarkably lightweight, occupying a mere 120MB of disk space and requiring only 256MB of memory. Within this VM, the attackers host their bespoke reverse shell, dubbed CurlyShell, alongside a reverse proxy named CurlCat. The collaboration between Bitdefender and the Georgian Computer Emergency Response Team (CERT) has shed light on this malware-delivery campaign, showcasing the group’s ability to exploit legitimate virtualization technologies to evade endpoint detection and response (EDR) systems.
Vrabie elaborated on the effectiveness of this strategy, stating, “By isolating the malware and its execution environment within a VM, the attackers effectively bypassed many traditional host-based EDR detections.” This innovative approach has allowed Curly COMrades to operate with a level of stealth that poses significant challenges to cybersecurity defenses.
Since tracking Curly COMrades in 2024, Bitdefender has noted the group’s alignment with Russian geopolitical interests, although a direct connection to the Russian government remains unsubstantiated. Their previous attacks have targeted judicial and governmental institutions in Georgia, as well as an energy distribution company in Moldova. The current campaign, which commenced in July, involved the execution of remote commands on two computers to activate the Hyper-V virtualization feature while disabling its management interface. Shortly thereafter, the attackers downloaded the lightweight Alpine Linux-based VM containing their custom malware.
The configuration of the VM utilized the Default Switch network adaptor in Hyper-V, ensuring that all traffic from the VM traversed the host’s network stack. This clever maneuver means that any malicious outbound communication appears to originate from the legitimate host machine’s IP address, further obfuscating the attackers’ activities.
Within this VM, two distinct custom implants were identified: CurlyShell, a new addition, and CurlCat, previously documented in Bitdefender’s August report. Both pieces of malware share a similar codebase, written in C++ and built around the libcurl library. CurlyShell operates undetected within the Alpine environment, providing a reverse shell and maintaining root-level persistence through a cron job that executes regularly. It communicates with a command-and-control (C2) server over HTTPS, utilizing a Georgian website for this purpose.
CurlCat, while lacking system persistence, facilitates the management of an SSH reverse proxy tunnel, cleverly disguising outgoing SSH traffic as standard HTTP request payloads to maintain the appearance of legitimacy.
Further analysis revealed two types of PowerShell scripts linked to Curly COMrades. One script injects a Kerberos ticket into LSASS, enabling remote authentication and command execution, while the other, deployed via Group Policy, establishes a local account across domain-joined machines to ensure persistent access.
Vrabie noted, “The sophistication demonstrated by Curly COMrades confirms a key trend: as EDR/XDR solutions become commodity tools, threat actors are getting better at bypassing them through tooling or techniques like VM isolation.” This evolution in tactics is echoed in the practices of various cybercriminals, including ransomware gangs, who are increasingly integrating EDR killers into their malware arsenal to circumvent endpoint security.
To combat these advanced threats, Bitdefender and other cybersecurity experts advocate for a multi-layered, defense-in-depth security strategy, emphasizing the importance of not solely relying on endpoint threat detection, which often fails to recognize the abuse of native system tools and legitimate products. For those interested in further details, Bitdefender has made available a comprehensive list of Curly COMrades indicators of compromise on its public GitHub repository.
