Unveiling the Deceptive Tactics of Cyber Attackers
In a recent incident, cyber attackers employed a clever ruse by utilizing the Import-VM and Start-VM PowerShell cmdlets to introduce a virtual machine into Hyper-V. This virtual machine was named WSL, a term that might evoke thoughts of the Windows Subsystem for Linux, a feature well-regarded among developers for its ability to run Linux containers seamlessly within the Windows environment. This strategic choice of nomenclature is particularly astute, as it minimizes the likelihood of drawing attention to their activities.
At the heart of this operation lies a compact Alpine Linux virtual machine, which hosts two bespoke implants identified by Bitdefender as CurlyShell and CurlCat. Both of these implants are ingeniously crafted using libcurl, an open-source library renowned for its versatility in supporting a wide array of network protocols.
CurlyShell leverages libcurl to establish a connection with a command-and-control (C2) server, facilitating the creation of a reverse shell. This setup allows the implant to listen for commands dispatched from the server, relay them to the Linux command line, and subsequently return the output back to the server. In contrast, CurlCat operates as a proxy, adeptly tunneling SSH traffic through HTTP requests. This method significantly complicates detection efforts by network monitoring tools, thereby enhancing the stealth of the attackers’ operations.
